From patchwork Wed Sep 6 02:21:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 30067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCA50EB8FA7 for ; Wed, 6 Sep 2023 02:40:58 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.292.1693968057863853420 for ; Tue, 05 Sep 2023 19:40:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=QJbd7lVi; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693968057; x=1725504057; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=hMLzb3xgI1tNutPY0G6pGacJ7QuoJ6kExKF1GDcpEns=; b=QJbd7lViVxh6of1vPib9q9k7L0rin6f32i1JEpAeEwdC0E0u7Ma46mJ8 S8LZkDNF4EZgkGHFK4LDPnHhMw1waPyL5vFm1fb6bFOo9RzsFm7QEpXyk nxHt6Cs701u60Ol/ur1rzEs/sBOLsk4lzbv0KmCp5ihwRRazUuXIKCvVv iCn4pQp/CvhFxVsnhg/DgIPB4OZgdSx1LGi50JBXV/qX6pvrqV5akFRRc R7Xyr+H/FMXxDU3fYk/k0dkWkdGlGRiuPVnKXFzHIxlIJLnArilgkphbe U2EuTeeqfz8dMkX+wma/izTZU4mUuuJrLZqe9DSaHATNzJrQQsdm9RCza A==; X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="407953256" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="407953256" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2023 19:40:56 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="776408648" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="776408648" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2023 19:40:55 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [dunfell][PATCH 1/5] python3: update to 3.8.18 Date: Wed, 6 Sep 2023 10:21:14 +0800 Message-Id: <20230906022118.1593547-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 02:40:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187268 From: Lee Chee Yang https://docs.python.org/release/3.8.18/whatsnew/changelog.html#changelog Release date: 2023-08-24 Security gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. Library gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. Tools/Demos gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. Signed-off-by: Lee Chee Yang --- .../python/{python3_3.8.17.bb => python3_3.8.18.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3_3.8.17.bb => python3_3.8.18.bb} (99%) diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb b/meta/recipes-devtools/python/python3_3.8.18.bb similarity index 99% rename from meta/recipes-devtools/python/python3_3.8.17.bb rename to meta/recipes-devtools/python/python3_3.8.18.bb index 00c4ff497a..9d0f72ecf9 100644 --- a/meta/recipes-devtools/python/python3_3.8.17.bb +++ b/meta/recipes-devtools/python/python3_3.8.18.bb @@ -43,8 +43,8 @@ SRC_URI_append_class-native = " \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[md5sum] = "70223497e664524303ca2364208647e1" -SRC_URI[sha256sum] = "2e54b0c68191f16552f6de2e97a2396540572a219f6bbb28591a137cecc490a9" +SRC_URI[md5sum] = "5ea6267ea00513fc31d3746feb35842d" +SRC_URI[sha256sum] = "3ffb71cd349a326ba7b2fadc7e7df86ba577dd9c4917e52a8401adbda7405e3f" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar" From patchwork Wed Sep 6 02:21:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 30068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BB614EB8FAA for ; Wed, 6 Sep 2023 02:40:58 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.292.1693968057863853420 for ; Tue, 05 Sep 2023 19:40:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=DO8Tuw9x; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693968058; x=1725504058; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=E1in45u8M79oeeHXQOUy9o7BHGK8INy6pp3HMYRTsJA=; b=DO8Tuw9xfpnRXNDGTqqj/vKy0guJi48AbE1F40m+B6S7US6m+TSdCXtR ntioOHbVp1RHgDD+r0V3D0V8Ki8HzS1TzggNW2xXQ6ehPWgaCKbuPl5XA yHHV1v2NFSTCnMvX+jZL3y6GlaYd1U6GPEUSKpofkAyQTeK8qNjMf1TPX zFFJoUjmWjVYw4fSUVanwRUTeYB+XeEnoFpKPzUeKHK/3xKggIloyardK NzYmaXQ0OYVrPIXk4xk51hp4MJqKoOnaOojvMSrJQ9RffkrqepX5I02NO gfqWG1dsPv77gaMw9+EQPqwaYBKv31n0wcAiKQVuCWbxu6HUrH2FkJf+x g==; X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="407953259" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="407953259" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2023 19:40:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="776408651" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="776408651" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2023 19:40:56 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [dunfell][PATCH 2/5] libxpm: fix CVE-2022-46285 Date: Wed, 6 Sep 2023 10:21:15 +0800 Message-Id: <20230906022118.1593547-2-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230906022118.1593547-1-chee.yang.lee@intel.com> References: <20230906022118.1593547-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 02:40:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187269 From: Lee Chee Yang Signed-off-by: Lee Chee Yang --- .../xorg-lib/libxpm/CVE-2022-46285.patch | 40 +++++++++++++++++++ .../xorg-lib/libxpm_3.5.13.bb | 2 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch new file mode 100644 index 0000000000..e8b654dfb2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch @@ -0,0 +1,40 @@ +CVE: CVE-2022-46285 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] +Signed-off-by: Lee Chee Yang + +From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb index fda8e32d2c..8937e61cb5 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb @@ -21,6 +21,8 @@ PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" +SRC_URI += " file://CVE-2022-46285.patch" + SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" From patchwork Wed Sep 6 02:21:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 30070 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94AC9EB8FAC for ; Wed, 6 Sep 2023 02:41:08 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.292.1693968057863853420 for ; Tue, 05 Sep 2023 19:40:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=lQ+RA3cA; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693968058; x=1725504058; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=pebxAhYaa5vq0pERbL6DTdKnt30FAJDInoH/EJl2Pcw=; b=lQ+RA3cAwQCXRCftLDGOl13CGLk0TB8cndLv9PT13/0KoB7HAImoZp/j lJzXAP6ZQ9DE92jMeXb8eJsxSbnkaU4/gh+Fhuhn1k7OQM5CFYah0Z+kE 5qMwOHAJDgf1XmWCESuHLb3+Y1b6l2FU8qqVc0IHWK3VrovNOGC3hNKQc 8GZWZW9SBriCcNPO1QRySNL9oQcAtx99yw/cPBz/LXs2K8GQzOpFdQtN/ 0rdUf5B/u66cn5IoDuMs9aKpPKCSJCpcAj403otPj/BRsKqq+FvNIY7UZ Fubgq00Vq+AMrFxsiMqHBEa+E1Cb0gvOvn/a911uBI3MWE84veGNKzt2p w==; X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="407953262" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="407953262" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2023 19:40:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="776408652" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="776408652" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2023 19:40:57 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [dunfell][PATCH 3/5] qemu: fix CVE-2020-24165 Date: Wed, 6 Sep 2023 10:21:16 +0800 Message-Id: <20230906022118.1593547-3-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230906022118.1593547-1-chee.yang.lee@intel.com> References: <20230906022118.1593547-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 02:41:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187270 From: Lee Chee Yang Signed-off-by: Lee Chee Yang --- meta/recipes-devtools/qemu/qemu.inc | 3 +- .../qemu/qemu/CVE-2020-24165.patch | 94 +++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2871818cb1..2dd3549a59 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -139,7 +139,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ file://CVE-2023-0330.patch \ file://CVE-2023-3354.patch \ - " + file://CVE-2020-24165.patch \ + " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch new file mode 100644 index 0000000000..e0a27331a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch @@ -0,0 +1,94 @@ +CVE: CVE-2020-24165 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ] +Signed-off-by: Lee Chee Yang + +From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Benn=C3=A9e?= +Date: Fri, 14 Feb 2020 14:49:52 +0000 +Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The bug describes a race whereby cpu_exec_step_atomic can acquire a TB +which is invalidated by a tb_flush before we execute it. This doesn't +affect the other cpu_exec modes as a tb_flush by it's nature can only +occur on a quiescent system. The race was described as: + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc obtains a new TB + + C3. TB obtained with tb_lookup__cpu_state or tb_gen_code + (same TB as B2) + + A3. start_exclusive critical section entered + A4. do_tb_flush is called, TB memory freed/re-allocated + A5. end_exclusive exits critical section + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc reallocates TB from B2 + + C4. start_exclusive critical section entered + C5. cpu_tb_exec executes the TB code that was free in A4 + +The simplest fix is to widen the exclusive period to include the TB +lookup. As a result we can drop the complication of checking we are in +the exclusive region before we end it. + +Cc: Yifan +Buglink: https://bugs.launchpad.net/qemu/+bug/1863025 +Reviewed-by: Paolo Bonzini +Reviewed-by: Richard Henderson +Signed-off-by: Alex Bennée +Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org> +Signed-off-by: Richard Henderson +--- + accel/tcg/cpu-exec.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c +index 2560c90eec79..d95c4848a47b 100644 +--- a/accel/tcg/cpu-exec.c ++++ b/accel/tcg/cpu-exec.c +@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu) + uint32_t cf_mask = cflags & CF_HASH_MASK; + + if (sigsetjmp(cpu->jmp_env, 0) == 0) { ++ start_exclusive(); ++ + tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); + if (tb == NULL) { + mmap_lock(); +@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu) + mmap_unlock(); + } + +- start_exclusive(); +- + /* Since we got here, we know that parallel_cpus must be true. */ + parallel_cpus = false; + cc->cpu_exec_enter(cpu); +@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu) + qemu_plugin_disable_mem_helpers(cpu); + } + +- if (cpu_in_exclusive_context(cpu)) { +- /* We might longjump out of either the codegen or the +- * execution, so must make sure we only end the exclusive +- * region if we started it. +- */ +- parallel_cpus = true; +- end_exclusive(); +- } ++ ++ /* ++ * As we start the exclusive region before codegen we must still ++ * be in the region if we longjump out of either the codegen or ++ * the execution. ++ */ ++ g_assert(cpu_in_exclusive_context(cpu)); ++ parallel_cpus = true; ++ end_exclusive(); + } + + struct tb_desc { From patchwork Wed Sep 6 02:21:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 30069 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9514BEB8FAD for ; Wed, 6 Sep 2023 02:41:08 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.292.1693968057863853420 for ; Tue, 05 Sep 2023 19:40:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=TFkPl5B4; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693968059; x=1725504059; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=Gq+/rV68d1lW1xJaa7649nVVpAsjfNQMAMBNz7X7mxg=; b=TFkPl5B4lDgDj5AlgoPrxKDaP2HMFP2EGQ/We0CcfWiXi+1naC5Yhazq LojthACgKWRqqn1CggDzq0oNcPlFA6LLryBxi7MLd4I9XybfCf1E6T7Fp p65E4XGUataWvpojzGsb+N9y+2tpg59kUPB8N4+beVLtJPpAaLQveltJK 6sBp1PcyTq0RbqxbR5dl29kA6ISN10+CIfr/gaEME3+HlZ8PqR3ghpKrj eAUDjP91wNyKRnkFl0MFTZBJ536EjAqATtXIRcbtol9qoU62J3A3CAozj zPsh9Xw2/TOUsT3rtyRH6kiHULu4HZxeX4WTjWKDjK56yZOwlEfGyVV63 g==; X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="407953263" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="407953263" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2023 19:40:59 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="776408657" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="776408657" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2023 19:40:58 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [dunfell][PATCH 4/5] nasm: update 2.15.03 -> 2.15.05 Date: Wed, 6 Sep 2023 10:21:17 +0800 Message-Id: <20230906022118.1593547-4-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230906022118.1593547-1-chee.yang.lee@intel.com> References: <20230906022118.1593547-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 02:41:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187271 From: Alexander Kanavin Use autotools-brokensep as new version needs that. upgrade include fix for CVE-2020-21686 and CVE-2022-29654 (cherry picked from commit c9c724ffa36757b56e70bc8d7b880c0c5777b153) Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie Signed-off-by: Lee Chee Yang --- .../0002-Add-debug-prefix-map-option.patch | 42 +++++++++---------- .../nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} | 4 +- 2 files changed, 22 insertions(+), 24 deletions(-) rename meta/recipes-devtools/nasm/{nasm_2.15.03.bb => nasm_2.15.05.bb} (84%) diff --git a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch index f788e0fd43..9f4c8dc0bd 100644 --- a/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch +++ b/meta/recipes-devtools/nasm/nasm/0002-Add-debug-prefix-map-option.patch @@ -1,4 +1,4 @@ -From bb4e42ad3a0cdd23a1d1797e6299c76b474867c0 Mon Sep 17 00:00:00 2001 +From 81d6519499dcfebe7d21e65e002a8885a4e8d852 Mon Sep 17 00:00:00 2001 From: Joshua Watt Date: Tue, 19 Nov 2019 13:12:17 -0600 Subject: [PATCH] Add --debug-prefix-map option @@ -11,7 +11,7 @@ Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392635] Signed-off-by: Joshua Watt --- - asm/nasm.c | 26 +++++++++++++++++++++++++- + asm/nasm.c | 24 ++++++++++++++++++++++++ include/nasmlib.h | 9 +++++++++ nasm.txt | 4 ++++ nasmlib/filename.c | 20 ++++++++++++++++++++ @@ -23,34 +23,32 @@ Signed-off-by: Joshua Watt stdlib/strlcat.c | 2 +- test/elfdebugprefix.asm | 6 ++++++ test/performtest.pl | 12 ++++++++++-- - 12 files changed, 83 insertions(+), 10 deletions(-) + 12 files changed, 82 insertions(+), 9 deletions(-) create mode 100644 test/elfdebugprefix.asm diff --git a/asm/nasm.c b/asm/nasm.c -index a0e1719..fc6c62e 100644 +index e5ae89a..7a7f8b4 100644 --- a/asm/nasm.c +++ b/asm/nasm.c -@@ -938,7 +938,8 @@ enum text_options { - OPT_LIMIT, +@@ -939,6 +939,7 @@ enum text_options { OPT_KEEP_ALL, OPT_NO_LINE, -- OPT_DEBUG -+ OPT_DEBUG, -+ OPT_DEBUG_PREFIX_MAP + OPT_DEBUG, ++ OPT_DEBUG_PREFIX_MAP, + OPT_REPRODUCIBLE }; enum need_arg { - ARG_NO, -@@ -970,6 +971,7 @@ static const struct textargs textopts[] = { +@@ -971,6 +972,7 @@ static const struct textargs textopts[] = { {"keep-all", OPT_KEEP_ALL, ARG_NO, 0}, {"no-line", OPT_NO_LINE, ARG_NO, 0}, {"debug", OPT_DEBUG, ARG_MAYBE, 0}, + {"debug-prefix-map", OPT_DEBUG_PREFIX_MAP, true, 0}, + {"reproducible", OPT_REPRODUCIBLE, ARG_NO, 0}, {NULL, OPT_BOGUS, ARG_NO, 0} }; - -@@ -1332,6 +1334,26 @@ static bool process_arg(char *p, char *q, int pass) - case OPT_DEBUG: - debug_nasm = param ? strtoul(param, NULL, 10) : debug_nasm+1; +@@ -1337,6 +1339,26 @@ static bool process_arg(char *p, char *q, int pass) + case OPT_REPRODUCIBLE: + reproducible = true; break; + case OPT_DEBUG_PREFIX_MAP: { + struct debug_prefix_list *d; @@ -75,7 +73,7 @@ index a0e1719..fc6c62e 100644 case OPT_HELP: help(stdout); exit(0); -@@ -2297,6 +2319,8 @@ static void help(FILE *out) +@@ -2304,6 +2326,8 @@ static void help(FILE *out) " -w-x disable warning x (also -Wno-x)\n" " -w[+-]error promote all warnings to errors (also -Werror)\n" " -w[+-]error=x promote warning x to errors (also -Werror=x)\n" @@ -85,7 +83,7 @@ index a0e1719..fc6c62e 100644 fprintf(out, " %-20s %s\n", diff --git a/include/nasmlib.h b/include/nasmlib.h -index e9bfbcc..98fc653 100644 +index 438178d..4c3e90d 100644 --- a/include/nasmlib.h +++ b/include/nasmlib.h @@ -250,10 +250,19 @@ int64_t readstrnum(char *str, int length, bool *warn); @@ -181,10 +179,10 @@ index 54b22f8..c4a412c 100644 static void as86_cleanup(void) diff --git a/output/outcoff.c b/output/outcoff.c -index bcd9ff3..15bfcf3 100644 +index 58fa024..14baf7b 100644 --- a/output/outcoff.c +++ b/output/outcoff.c -@@ -1095,14 +1095,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value, +@@ -1072,14 +1072,14 @@ static void coff_symbol(char *name, int32_t strpos, int32_t value, static void coff_write_symbols(void) { @@ -215,7 +213,7 @@ index 61af020..1292958 100644 nsects = sectlen = 0; syms = saa_init((int32_t)sizeof(struct elf_symbol)); diff --git a/output/outieee.c b/output/outieee.c -index 4cc0f0f..2468724 100644 +index 6d6d4b2..cdb8333 100644 --- a/output/outieee.c +++ b/output/outieee.c @@ -207,7 +207,7 @@ static void ieee_unqualified_name(char *, char *); @@ -228,10 +226,10 @@ index 4cc0f0f..2468724 100644 fpubhead = NULL; fpubtail = &fpubhead; diff --git a/output/outobj.c b/output/outobj.c -index 0d4d311..d8dd6a0 100644 +index 56b43f9..fefea94 100644 --- a/output/outobj.c +++ b/output/outobj.c -@@ -638,7 +638,7 @@ static enum directive_result obj_directive(enum directive, char *); +@@ -644,7 +644,7 @@ static enum directive_result obj_directive(enum directive, char *); static void obj_init(void) { diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb similarity index 84% rename from meta/recipes-devtools/nasm/nasm_2.15.03.bb rename to meta/recipes-devtools/nasm/nasm_2.15.05.bb index fc7046244a..43088baf71 100644 --- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb +++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb @@ -10,11 +10,11 @@ SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0002-Add-debug-prefix-map-option.patch \ " -SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778" +SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0" EXTRA_AUTORECONF_append = " -I autoconf/m4" -inherit autotools +inherit autotools-brokensep BBCLASSEXTEND = "native" From patchwork Wed Sep 6 02:21:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 30071 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE491EB8FAF for ; Wed, 6 Sep 2023 02:41:08 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web10.292.1693968057863853420 for ; Tue, 05 Sep 2023 19:41:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=POCHA9aY; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1693968060; x=1725504060; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=JCip8MYde90a/L8DirEpMViLHSfmImYtUyQkTUs/+ug=; b=POCHA9aYCzz7YxkSsk+fQGkZ1rRU4VCX0fFCcvXebuWX6ivdySC3bWLQ 757RgGd1POVwjzrf5Axdc4B8/xSTonu4PgBt1bO70i2tZ0PvDBEBqrXcG +PBBdkKxM06b2gTYTMWtDI7FowXs5rz6rS/Jrj91lHnAB/ldkrwvazywe pj8dq9gJEYxOKtAfeYL6Z51YpE8LE8T653zgVxZYwGA3ENJttEdpP5ECw b6m9LAiOOVjUDQm927WsRW9tzAJp9fKe9xc6uxh6Md+ZeCsI4ZnbyhWZq 87QqtlEGVMuNrpzS1xuRNcvnRfL15xbDgcvj9kPxm8sNSMqQeOr2MV08N A==; X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="407953268" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="407953268" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2023 19:41:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10824"; a="776408659" X-IronPort-AV: E=Sophos;i="6.02,230,1688454000"; d="scan'208";a="776408659" Received: from andromeda02.png.intel.com ([10.221.253.198]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2023 19:40:59 -0700 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [dunfell][PATCH 5/5] nasm: fix CVE-2022-44370 Date: Wed, 6 Sep 2023 10:21:18 +0800 Message-Id: <20230906022118.1593547-5-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20230906022118.1593547-1-chee.yang.lee@intel.com> References: <20230906022118.1593547-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 06 Sep 2023 02:41:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187272 From: Archana Polampalli NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856 References: https://nvd.nist.gov/vuln/detail/CVE-2022-44370 Upstream patches: https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d ( cherry picked from commit 1568df72136f46f0767bba56c10c48bf2a1ec259 ) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman Signed-off-by: Lee Chee Yang --- .../nasm/nasm/CVE-2022-44370.patch | 104 ++++++++++++++++++ meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch new file mode 100644 index 0000000000..1bd49c9fd9 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch @@ -0,0 +1,104 @@ +From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Mon, 7 Nov 2022 10:26:03 -0800 +Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault + +while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix, +introduce mempset() to make these kinds of errors less likely in the +future. + +Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815 +Reported-by: <13579and24680@gmail.com> +Signed-off-by: H. Peter Anvin + +Upstream-Status: Backport +CVE: CVE-2022-4437 + +Reference to upstream patch: +[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d] + +Signed-off-by: Archana Polampalli +--- + asm/nasm.c | 12 +++++------- + configure.ac | 1 + + include/compiler.h | 7 +++++++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 7a7f8b4..675cff4 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -1,6 +1,6 @@ + /* ----------------------------------------------------------------------- * + * +- * Copyright 1996-2020 The NASM Authors - All Rights Reserved ++ * Copyright 1996-2022 The NASM Authors - All Rights Reserved + * See the file AUTHORS included with the NASM distribution for + * the specific copyright holders. + * +@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str) + } + + /* Convert N backslashes at the end of filename to 2N backslashes */ +- if (nbs) +- n += nbs; ++ n += nbs; + + os = q = nasm_malloc(n); + +@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str) + switch (*p) { + case ' ': + case '\t': +- while (nbs--) +- *q++ = '\\'; ++ q = mempset(q, '\\', nbs); + *q++ = '\\'; + *q++ = *p; ++ nbs = 0; + break; + case '$': + *q++ = *p; +@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str) + break; + } + } +- while (nbs--) +- *q++ = '\\'; + ++ q = mempset(q, '\\', nbs); + *q = '\0'; + + return os; +diff --git a/configure.ac b/configure.ac +index 39680b1..940ebe2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul) + AC_CHECK_FUNCS(iscntrl) + AC_CHECK_FUNCS(isascii) + AC_CHECK_FUNCS(mempcpy) ++AC_CHECK_FUNCS(mempset) + + AC_CHECK_FUNCS(getuid) + AC_CHECK_FUNCS(getgid) +diff --git a/include/compiler.h b/include/compiler.h +index db3d6d6..b64da6a 100644 +--- a/include/compiler.h ++++ b/include/compiler.h +@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n) + } + #endif + ++#ifndef HAVE_MEMPSET ++static inline void *mempset(void *dst, int c, size_t n) ++{ ++ return (char *)memset(dst, c, n) + n; ++} ++#endif ++ + /* + * Hack to support external-linkage inline functions + */ +-- +2.40.0 diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb index 43088baf71..c5638debdd 100644 --- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb +++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-stdlib-Add-strlcat.patch \ file://0002-Add-debug-prefix-map-option.patch \ + file://CVE-2022-44370.patch \ " SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"