From patchwork Wed Sep 13 14:30:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30401 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9501EDEC63 for ; Wed, 13 Sep 2023 14:30:56 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.13603.1694615451972540763 for ; Wed, 13 Sep 2023 07:30:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Jo7vNxn8; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-68a3ced3ec6so6075315b3a.1 for ; Wed, 13 Sep 2023 07:30:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615451; x=1695220251; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kVYlA16YkxQK7qZMdaRn7/QDy+TSyT2JB9Zi/PJ1tIk=; b=Jo7vNxn8UIklTdSG04f/EFZE1aQtKC7+BCP7vYb4QxQBVP/qIfjqxxLKybSGjXCcEb 3DccXRytqCISH6pA/O+XSg53o7XPjxFkjw7sHMq8lTZ1yRSEhQyaTTamk1MIjjRckglJ 3Ij9cuAw1Lw4h3tb67HQsg0Y+dpFWEUwOy4wVD4pKK2F3+h6hy70aiy24d6J1Ds51tO3 tpCcN2ZdTl4vD4En07OpMEHcUVpoS2Tpob34GUhqY5ofwGAagttilQGZZCDy3ygZpucs JZ8TRmkv/lQzhfmOVvlF5wx/34ckqqvhG17bSESseQiYP7jYJjPd5z6BMt42N4YYLlPI PMiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615451; x=1695220251; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kVYlA16YkxQK7qZMdaRn7/QDy+TSyT2JB9Zi/PJ1tIk=; b=qe1dtZ36gJBh0hbKRQOw92uy4hY8a/fpgsHTaE5sNOguJBXDKpAOGGTn5cb8XfdDvL DDW9qtUx1Dy1SoUm8G/sbJZl/fwVXB7g00HfOseNOmlD6FJ/+XGwwq1orSveVPokFAEh 0ntUdE/rhyh5YC4BH46pKixilc2eaD8TxYGV3Enqe6kYNmZwPRoqzjID9lfV0BofGY2l 3GaApOcApcwBZWJnnQFT/f9IQxuXFVr3L6l/Bp0BCHZWs1ZNFRGOrDpQbLOpHOd/dzOZ 0a98oRIinSNh1CinD6Idyc4yHmf+5Tqui8wih88EsYfB7p+AaYOOZxH92RakK6YwidRG W+aw== X-Gm-Message-State: AOJu0YzrZRjGwpqWUa4ZPsAZItPHUKU5Zex7XTVewGeawbSFdgy2WC4M xVdzz0qlAlbcwQBWXbArXbgTGbs0nZZ5oKjV0JE= X-Google-Smtp-Source: AGHT+IG3c4woDp9z+1753lS1IGD32lKdCrlmAdk4H5KcawIXZ4H1mcJqdgjk2adBg+FZM12AbBFTow== X-Received: by 2002:a05:6a00:1590:b0:682:4ef7:9b0b with SMTP id u16-20020a056a00159000b006824ef79b0bmr3817010pfk.0.1694615450795; Wed, 13 Sep 2023 07:30:50 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.30.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:30:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/8] python3-pygments: Fix CVE-2022-40896 Date: Wed, 13 Sep 2023 04:30:33 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:30:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187596 From: Narpat Mali CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ 1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04 Hence, backported the patch as CVE-2022-40896.patch. 2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 Actually, this code doesn't exist in 2.11.2 version and it has been introduce by python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version. SQL+Jinja lexers is introduced by: https://github.com/pygments/pygments/commit/0bdbd5992baca32d18e01f0ec65337e06abf9456 3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 Actually, this code also doesn't exist in 2.11.2 version as the code has been modified in python3-pygments 2.14.0 by: https://github.com/pygments/pygments/commit/a38cb38e93c9635240b3ae89d78d38cf182745da Hence, this is also not vulnerable for 2.11.2 version. Signed-off-by: Narpat Mali Signed-off-by: Steve Sakoman --- .../python3-pygments/CVE-2022-40896.patch | 124 ++++++++++++++++++ .../python/python3-pygments_2.11.2.bb | 2 + 2 files changed, 126 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch new file mode 100644 index 0000000000..9848072a94 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch @@ -0,0 +1,124 @@ +From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001 +From: Narpat Mali +Date: Wed, 6 Sep 2023 10:32:38 +0000 +Subject: [PATCH] Improve the Smithy metadata matcher. + +Previously, metadata foo bar baz = 23 was accepted, but according to +the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection +it should be "metadata"Identifier/String. + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04] + +Signed-off-by: Narpat Mali +--- + pygments/lexers/smithy.py | 5 +- + tests/examplefiles/smithy/test.smithy | 12 +++++ + tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + +diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py +index 0f0a912..c5e25cd 100644 +--- a/pygments/lexers/smithy.py ++++ b/pygments/lexers/smithy.py +@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer): + (words(aggregate_shapes, + prefix=r'^', suffix=r'(\s+' + identifier + r')'), + bygroups(Keyword.Declaration, Name.Class)), +- (r'^(metadata)(\s+.+)(\s*)(=)', +- bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)), ++ (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)', ++ bygroups(Keyword.Declaration, Whitespace, Name.Class, ++ Whitespace, Name.Decorator)), + (r"(true|false|null)", Keyword.Constant), + (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number), + (identifier + ":", Name.Label), +diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy +index 3d20f06..9317fee 100644 +--- a/tests/examplefiles/smithy/test.smithy ++++ b/tests/examplefiles/smithy/test.smithy +@@ -2,6 +2,18 @@ $version: "1.0" + + namespace test + ++metadata "foo" = ["bar", "baz"] ++metadata validators = [ ++ { ++ name: "ValidatorName" ++ id: "ValidatorId" ++ message: "Some string" ++ configuration: { ++ selector: "operation" ++ } ++ } ++] ++ + /// Define how an HTTP request is serialized given a specific protocol, + /// authentication scheme, and set of input parameters. + @trait(selector: "operation") +diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output +index 1f22489..db44a38 100644 +--- a/tests/examplefiles/smithy/test.smithy.output ++++ b/tests/examplefiles/smithy/test.smithy.output +@@ -7,6 +7,58 @@ + ' test' Name.Class + '\n\n' Text.Whitespace + ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'"foo"' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'"bar"' Literal.String.Double ++',' Punctuation ++' ' Text.Whitespace ++'"baz"' Literal.String.Double ++']' Text ++'\n' Text.Whitespace ++ ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'validators' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'\n ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'name:' Name.Label ++' ' Text.Whitespace ++'"ValidatorName"' Literal.String.Double ++'\n ' Text.Whitespace ++'id:' Name.Label ++' ' Text.Whitespace ++'"ValidatorId"' Literal.String.Double ++'\n ' Text.Whitespace ++'message:' Name.Label ++' ' Text.Whitespace ++'"Some string"' Literal.String.Double ++'\n ' Text.Whitespace ++'configuration:' Name.Label ++' ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'selector:' Name.Label ++' ' Text.Whitespace ++'"operation"' Literal.String.Double ++'\n ' Text.Whitespace ++'}' Text ++'\n ' Text.Whitespace ++'}' Text ++'\n' Text.Whitespace ++ ++']' Text ++'\n\n' Text.Whitespace ++ + '/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline + '\n' Text.Whitespace + +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb index 35d288c89e..6e787f23d2 100644 --- a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb +++ b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc" inherit setuptools3 SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a" +SRC_URI += "file://CVE-2022-40896.patch" + DEPENDS += "\ ${PYTHON_PN} \ " From patchwork Wed Sep 13 14:30:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30403 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA3DFEDEC61 for ; Wed, 13 Sep 2023 14:30:56 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.13475.1694615454111822531 for ; Wed, 13 Sep 2023 07:30:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=gN9r27rR; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-68c576d35feso6597852b3a.2 for ; Wed, 13 Sep 2023 07:30:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615453; x=1695220253; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3uZq1pKDa3gGDvu5hyo7J/Z2WNXpAlWKaT2c23OD4ws=; b=gN9r27rRmApd1oaGzQzgla3Fp7kLQZvPUtaZv3sNW8CNg5P1rcobdsl0WCt13SFPgd GWZdrty7WyRanv528owU2O6BS6o2OzcXvlwB7He+Z+PtfFq9yEF1TfDrxiGXXzu2ndFg Hp0iZXrkOij8LCmESUZFEvQFNGiLA31NejvtIygCdODTFSCc9FpVp0xTsQeMNVd30IWp mU4IoF1TnRBc5EdNHZb/kw0FFePs7FWCRetx6ie5SywpFkoSTJFgD8ynzzB7gS2n2wGe bSKzeoCRjnjevt+NZakPm/pvH5XMXku3nOwbENqcSDiOFKG44PiFiXyKL/r51XNMU6Rc z6rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615453; x=1695220253; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3uZq1pKDa3gGDvu5hyo7J/Z2WNXpAlWKaT2c23OD4ws=; b=PsYq8Dpc638u7JCoSFqn4Hii80c6Vw9zxWHRvmAHLwVZVZ8xRiKSvjkBohRM02u43d gwBHJA1beu99rr9kkTt9jSvRXdA69WsSQP8+ZuaGFUKf1l/KUm3e88IXb6MrHy0hRt3k o2xjrtnorl9sopZbPbGIQ15YRHEBapiKg1dIhLkrNK468sDTzTofLhTwR8QjXaMkgvdi ayiuwzTzA5FXXBHjhV2Zx83FRSSuwA6l94RGu5vWNuSizR9uzk0HHRPpSBki1/H0EVSq DKpHGJErcMDGAoHaPFwijJBbBaOBmYtd5PAoi/C5Glj1xZ506N7GIaGEmVoo714Lt8Dx ek9w== X-Gm-Message-State: AOJu0Yy9rxEBMZ8fivrvShru2LM2VHrArBCDVuYLthvrv+ZXuaLDxyml 5xZBIWRDx7bT13CKyB2iVj6hyGcBXUFuH/B8twc= X-Google-Smtp-Source: AGHT+IHsX+UCMy8uNAdJhybZUBCzQfdkRvK0f5r7UtGmEdgc54V4tknGUKCGUKq3So3nUr6K8SBpaA== X-Received: by 2002:a05:6a20:3d21:b0:137:d14d:79ea with SMTP id y33-20020a056a203d2100b00137d14d79eamr2839818pzi.25.1694615452948; Wed, 13 Sep 2023 07:30:52 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.30.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:30:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/8] dropbear: fix CVE-2023-36328 Date: Wed, 13 Sep 2023 04:30:34 -1000 Message-Id: <38709b0d35e7bd6760285bfa926dc85985c5cdcd.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:30:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187597 From: Yogita Urade Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS). References: https://nvd.nist.gov/vuln/detail/CVE-2023-36328 https://github.com/libtom/libtommath/pull/546 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- meta/recipes-core/dropbear/dropbear.inc | 1 + .../dropbear/dropbear/CVE-2023-36328.patch | 144 ++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc index f3f085b616..e61930f7db 100644 --- a/meta/recipes-core/dropbear/dropbear.inc +++ b/meta/recipes-core/dropbear/dropbear.inc @@ -29,6 +29,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ file://CVE-2021-36369.patch \ + file://CVE-2023-36328.patch \ " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch new file mode 100644 index 0000000000..4d8c40f70b --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch @@ -0,0 +1,144 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden +Date: Wed, 6 Sep 2023 10:48:58 +0000 +Subject: [PATCH] Fix possible integer overflow + +CVE: CVE-2023-36328 + +Upstream-Status: Backport [https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9] + +Signed-off-by: Yogita Urade +--- + libtommath/bn_mp_2expt.c | 4 ++++ + libtommath/bn_mp_grow.c | 4 ++++ + libtommath/bn_mp_init_size.c | 5 +++++ + libtommath/bn_mp_mul_2d.c | 4 ++++ + libtommath/bn_s_mp_mul_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ + libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/libtommath/bn_mp_2expt.c b/libtommath/bn_mp_2expt.c +index 0ae3df1..7d4d884 100644 +--- a/libtommath/bn_mp_2expt.c ++++ b/libtommath/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/libtommath/bn_mp_grow.c b/libtommath/bn_mp_grow.c +index 9e904c5..e7b186c 100644 +--- a/libtommath/bn_mp_grow.c ++++ b/libtommath/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* reallocate the array a->dp +diff --git a/libtommath/bn_mp_init_size.c b/libtommath/bn_mp_init_size.c +index d622687..5fefa96 100644 +--- a/libtommath/bn_mp_init_size.c ++++ b/libtommath/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + size = MP_MAX(MP_MIN_PREC, size); + + /* alloc mem */ +diff --git a/libtommath/bn_mp_mul_2d.c b/libtommath/bn_mp_mul_2d.c +index 87354de..2744163 100644 +--- a/libtommath/bn_mp_mul_2d.c ++++ b/libtommath/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_digs.c b/libtommath/bn_s_mp_mul_digs.c +index 64509d4..2d2f5b0 100644 +--- a/libtommath/bn_s_mp_mul_digs.c ++++ b/libtommath/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < MP_WARRAY) && + (MP_MIN(a->used, b->used) < MP_MAXFAST)) { +diff --git a/libtommath/bn_s_mp_mul_digs_fast.c b/libtommath/bn_s_mp_mul_digs_fast.c +index b2a287b..d6dd3cc 100644 +--- a/libtommath/bn_s_mp_mul_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +diff --git a/libtommath/bn_s_mp_mul_high_digs.c b/libtommath/bn_s_mp_mul_high_digs.c +index 2bb2a50..c9dd355 100644 +--- a/libtommath/bn_s_mp_mul_high_digs.c ++++ b/libtommath/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) + && ((a->used + b->used + 1) < MP_WARRAY) +diff --git a/libtommath/bn_s_mp_mul_high_digs_fast.c b/libtommath/bn_s_mp_mul_high_digs_fast.c +index a2c4fb6..4ce7f59 100644 +--- a/libtommath/bn_s_mp_mul_high_digs_fast.c ++++ b/libtommath/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + pa = a->used + b->used; + if (c->alloc < pa) { +-- +2.35.5 From patchwork Wed Sep 13 14:30:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30404 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF1DCEDEC67 for ; Wed, 13 Sep 2023 14:30:56 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web11.13605.1694615456206487849 for ; Wed, 13 Sep 2023 07:30:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ecNfUPs6; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-68fac16ee5fso3566350b3a.1 for ; Wed, 13 Sep 2023 07:30:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615455; x=1695220255; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fO8KmJS5rhVgECfjswOF+9wnxzhLPzZAPQySKnAHJv0=; b=ecNfUPs65IxeoBUFG630DA4HmMo2MNO1wu9S+NSjQzRhCLj/79skA8l9DRzUEe+e50 qR8mkzzymBBuo9gyTy+Oa9l/cj6aTczI/xCUdMtzo2oc5j8TqPwp7O9jKHsX7s+AJJwL oHD/Ru/g7K9hqvnRfNnpKMceANCDU/IYra4dZdhk4paLzCZge+SKt0ypwpHQ97q2Vw01 ciGQcbxBzKOqKkqNCitHjW6GtZOrB5dzePxYGtaNUgUaERRttKVECRMqFsn1guL02n0Y 6ST+6ri9xT79kBKfDcpOKVIWABlB6lbVKcUi3SM8JtmbsE4D8lDgmu7CIWAqqnlnRHyQ MqLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615455; x=1695220255; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fO8KmJS5rhVgECfjswOF+9wnxzhLPzZAPQySKnAHJv0=; b=sbCMDTv/6hIVQ9I5WHSzKJMDBb3mXNHvTPwJU8qem3US0Gav0y6h/KTcCq3zdTjQ9k wkTZ9w4kizvlByWVwOX3guRBBWNADqcgmgNnbFNqmV6L5IsF3UKOQhI9x/SSZ1kWWpOY yB56Gzld04KjvjAWZFxImGMTUK/hvNF9nMoWcN8oKDD5uptsHfgAVN3NIGRqyWR4qJ3K TB68zct2AUVnXXHQbHD45xdvep5a73HEMf4Jwtxw1DpjB03I27xv2+YRZ6mb5egI3reg b0rypsOxvEdv+PbalLfdV5S0Fn8iiUaZa04/z2wNznaxcxkSRvq1jS9AbZYIDFgSxb9r lYsg== X-Gm-Message-State: AOJu0YzD4FRTGiwANRyxmmHGZbNNf6kMXbLF/g3Jdtvt9SScK+5lT54Q yrcgmknO9KoCRh5xWAdTK5gUVtnSymX3XPprPGA= X-Google-Smtp-Source: AGHT+IEHiCoa58oa8tJn68FzBTsZPj9yl0yKEOd9kS4XCiKtUnDaALt5N3dEX5twvtSkHAHIftsbnA== X-Received: by 2002:a05:6a20:8f12:b0:13d:1d14:6693 with SMTP id b18-20020a056a208f1200b0013d1d146693mr2869474pzk.45.1694615454972; Wed, 13 Sep 2023 07:30:54 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.30.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:30:54 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/8] qemu: fix CVE-2021-3638 Date: Wed, 13 Sep 2023 04:30:35 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:30:56 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187598 From: Yogita Urade QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3638 https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3638.patch | 88 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d77c376bb6..5526eacb96 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -100,6 +100,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-14394.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ + file://CVE-2021-3638.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..3cbb34c54c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch @@ -0,0 +1,88 @@ +From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daudé +Date: Thu, 10 Aug 2023 07:30:54 +0000 +Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). + +Reported-by: Qiang Liu +Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") +Signed-off-by: Philippe Mathieu-Daudé +Tested-by: Mauro Matteo Cascella +Message-Id: <20210906153103.1661195-1-philmd@redhat.com> +Signed-off-by: Gerd Hoffmann + +CVE: CVE-2021-3638 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643] + +Signed-off-by: Yogita Urade +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea79..692bec91d 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.40.0 From patchwork Wed Sep 13 14:30:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30405 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF860EDEC66 for ; Wed, 13 Sep 2023 14:31:06 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.13478.1694615458629080644 for ; Wed, 13 Sep 2023 07:30:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=v+83pKnM; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-68fdd5c1bbbso783768b3a.1 for ; Wed, 13 Sep 2023 07:30:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615457; x=1695220257; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6ZZq/br3fitBNJYHGeKR9ByROS5V52+zDHbwGWdg57o=; b=v+83pKnMQRrntQZdD92D5dd3Li093hjgBF69j4H/aUNvXk+JE4CscmvCdck6mJAVYw V32I6BiGGhrvXeg4NljisI08MyOeO8KHCBpbztuv2lBhmKvMD/r3uoufyeMj0L5ZSWI0 o9Wgx47INKeaKUNy4gp3f5+LjL9HDmmM2UG48HeRVTKxpKEYj8XoN9kunrcLZOokaZuE EtMG4tPOJbyLOx+aZsl2HXaNoy3wQ1MMoXpzqPZoi//NcknAdLUz4nsWMOse8tHR74yf h54MvlqLl/2UPlOZpiQ/8WHB+Lb8wgRc0buRi8ss6f24aPXtCNlMscO5nMV5pY8rPR5p 1q3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615457; x=1695220257; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6ZZq/br3fitBNJYHGeKR9ByROS5V52+zDHbwGWdg57o=; b=OU/yeCR4s4RxqiTDahQRMNI9C3kgP0PcOVzgIAUrJw9okRF/DVbn+PX2Eghj+mqbhh 2GlA0AoCTB7m04/8zWD90COtv56WNe82SwkSgWWYCXvBaGUcgOazT2brWZEInohYmOww sQxq5OXaeFAMIhwNRAx9waAf018RDsPUTPJxxQZwaK/Obm5hCWulIaPV5oouVNrowanp MJWvQZ96z3+sSpylQ1mwLDwQbdo4l4SqxBsK0MSf8HIKmdVburTAl4fLa4wou/1eL590 eKaUx4NjgU+I3WkZG3duQohsVNNaySgV2mZNwy/v29WMSzZWq0TmSiZcFhKKgmZfGL+f 7gww== X-Gm-Message-State: AOJu0YwzJb5/l12ImlSZfhXMLqm8q9776qHurgQjj3XGzmbbynCEDp3Y OfQjYAfVtPrCuBcLkWMtZZM1nkqpE+kHqFPwIEE= X-Google-Smtp-Source: AGHT+IHkp1EtuOxijMvVXi3mTSx/BAHuwkvpxo/faSaeNBzSu2LIPHII3Lyvjyzak+t9XatvbQv/Sw== X-Received: by 2002:a05:6a00:985:b0:68a:48e7:9deb with SMTP id u5-20020a056a00098500b0068a48e79debmr9860814pfg.2.1694615457127; Wed, 13 Sep 2023 07:30:57 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.30.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:30:56 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/8] libxml2: Fix CVE-2023-39615 Date: Wed, 13 Sep 2023 04:30:36 -1000 Message-Id: <9a2ad95caffae37014fa27d9b20d45f9779d0fbf.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:31:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187599 From: Soumya Sambu Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. References: https://nvd.nist.gov/vuln/detail/CVE-2023-39615 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../libxml/libxml2/CVE-2023-39615-0001.patch | 37 ++++++++++ .../libxml/libxml2/CVE-2023-39615-0002.patch | 72 +++++++++++++++++++ meta/recipes-core/libxml/libxml2_2.9.14.bb | 2 + 3 files changed, 111 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch new file mode 100644 index 0000000000..3506779c4c --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch @@ -0,0 +1,37 @@ +From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat May 6 17:47:37 2023 +0200 +Subject: [PATCH 1/2] parser: Fix old SAX1 parser with custom callbacks + +For some reason, xmlCtxtUseOptionsInternal set the start and end element +SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 +was specified. This means that custom SAX handlers could never work with +that flag because these functions would receive the wrong user data +argument and crash immediately. + +Fixes #535. + +CVE: CVE-2023-39615 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9] + +Signed-off-by: Soumya Sambu +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/parser.c b/parser.c +index 0f76577..b781c80 100644 +--- a/parser.c ++++ b/parser.c +@@ -15069,8 +15069,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtPtr ctxt, int options, const char *encodi + } + #ifdef LIBXML_SAX1_ENABLED + if (options & XML_PARSE_SAX1) { +- ctxt->sax->startElement = xmlSAX2StartElement; +- ctxt->sax->endElement = xmlSAX2EndElement; + ctxt->sax->startElementNs = NULL; + ctxt->sax->endElementNs = NULL; + ctxt->sax->initialized = 1; +-- +2.40.0 diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch new file mode 100644 index 0000000000..d922ddc730 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch @@ -0,0 +1,72 @@ +From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon May 8 17:58:02 2023 +0200 +Subject: [PATCH 2/2] SAX: Always initialize SAX1 element handlers + +Follow-up to commit d0c3f01e. A parser context will be initialized to +SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, +so we must initialize the SAX1 element handlers as well. + +Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so +we don't switch to SAX1 if the SAX2 element handlers are NULL. + +CVE: CVE-2023-39615 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129] + +Signed-off-by: Soumya Sambu +--- + SAX2.c | 11 +++++++---- + parser.c | 5 +---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/SAX2.c b/SAX2.c +index 0319246..f7c77c2 100644 +--- a/SAX2.c ++++ b/SAX2.c +@@ -2842,20 +2842,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int version) + { + if (hdlr == NULL) return(-1); + if (version == 2) { +- hdlr->startElement = NULL; +- hdlr->endElement = NULL; + hdlr->startElementNs = xmlSAX2StartElementNs; + hdlr->endElementNs = xmlSAX2EndElementNs; + hdlr->serror = NULL; + hdlr->initialized = XML_SAX2_MAGIC; + #ifdef LIBXML_SAX1_ENABLED + } else if (version == 1) { +- hdlr->startElement = xmlSAX2StartElement; +- hdlr->endElement = xmlSAX2EndElement; + hdlr->initialized = 1; + #endif /* LIBXML_SAX1_ENABLED */ + } else + return(-1); ++#ifdef LIBXML_SAX1_ENABLED ++ hdlr->startElement = xmlSAX2StartElement; ++ hdlr->endElement = xmlSAX2EndElement; ++#else ++ hdlr->startElement = NULL; ++ hdlr->endElement = NULL; ++#endif /* LIBXML_SAX1_ENABLED */ + hdlr->internalSubset = xmlSAX2InternalSubset; + hdlr->externalSubset = xmlSAX2ExternalSubset; + hdlr->isStandalone = xmlSAX2IsStandalone; +diff --git a/parser.c b/parser.c +index b781c80..738dbee 100644 +--- a/parser.c ++++ b/parser.c +@@ -1109,10 +1109,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) return; + sax = ctxt->sax; + #ifdef LIBXML_SAX1_ENABLED +- if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && +- ((sax->startElementNs != NULL) || +- (sax->endElementNs != NULL) || +- ((sax->startElement == NULL) && (sax->endElement == NULL)))) ++ if ((sax) && (sax->initialized == XML_SAX2_MAGIC)) + ctxt->sax2 = 1; + #else + ctxt->sax2 = 1; +-- +2.40.0 diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb index 9241b279e4..437bccf4ed 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -27,6 +27,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt file://CVE-2022-40304.patch \ file://CVE-2023-28484.patch \ file://CVE-2023-29469.patch \ + file://CVE-2023-39615-0001.patch \ + file://CVE-2023-39615-0002.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" From patchwork Wed Sep 13 14:30:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30406 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF82DEDEC63 for ; Wed, 13 Sep 2023 14:31:06 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web10.13479.1694615460510401888 for ; Wed, 13 Sep 2023 07:31:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=21eEz//D; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-68fb7fb537dso3377745b3a.2 for ; Wed, 13 Sep 2023 07:31:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615459; x=1695220259; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lx5D9G+34ThfmWRWRyjBrw7rcTuzJqCr95uIqXauYhY=; b=21eEz//DGH1F7FNw+k+W13cRXFji4RJ5AfypGVX0tfwec62toQS0JI/Tt5q3klfc6V 0E43v8hjbRwT3xSc4bLIQbsUmVYMCe8Lvid7h97/ABPiBtFR0usb4xTl5Xvfdi0pjdw/ rqQfY7ABPsLDq0n8oqiUiCeCXtCsJkv9UYzgdp67fnfUgb/0C+HPsygnfDd55qGPMqiN Pq91qEWtA/R/GWgP989dKMRe3PqGh4EXQGSAV93R2fdIT+CP0LVqfCLzsPctxCxu0KAa 0g+HRZgQj+3vNQUQfgvZsJS8kdEN6sDCEElnVdgchylDSG9QBzmYaQJ7sOgDITlh3C3E 7hAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615459; x=1695220259; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lx5D9G+34ThfmWRWRyjBrw7rcTuzJqCr95uIqXauYhY=; b=LeFCGi2XQwEwSME6fYBfuz3ANQB0McLU2kasy67cTLRl/egha9gqivzuRxz1FBd3dp 53D7XudIYocmBnQ2KR9QhWKYUmNgddD+nCzcyQgijxMlxAkXiyqPXdmJrHQ+BaAhRwGK fo3kgQUfpdqXcAKvX0Ff+mJDGGSR5w3x919cK+j8QoUc+GtYfC9cVz7bG97tnJuGJaQz hLPESVvgjS+xSbNwTPl5o1BGvcN/XRVw5lh88f1acfp/B2d4nHSQnM4AlDHGGp8/KOaw k8Od4KOyScLe6tAvdeQRAxr3p7T/+/jJQmFhHLLRZcMh+vFuQcHQaCzH9uVs5UKDbzZ9 L2SQ== X-Gm-Message-State: AOJu0YxVVVPlhYFyHDokqNTAsqz+6Z/2Cvr74KAtkbxk2HTO6hpBjaze 4zpWqL4kEFUVk8taIvp3xJfNPzWWpdtBekbY8II= X-Google-Smtp-Source: AGHT+IGZauNu7Uj4TMxb+jduKy1FQcr8HQSVOhLJ4Rq8lsiicJ8uQX/HI48nygT/b74TjNpySqg+CA== X-Received: by 2002:a05:6a21:328c:b0:157:54fd:5c26 with SMTP id yt12-20020a056a21328c00b0015754fd5c26mr2908870pzb.38.1694615459263; Wed, 13 Sep 2023 07:30:59 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.30.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:30:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/8] flac: fix CVE-2020-22219 Date: Wed, 13 Sep 2023 04:30:37 -1000 Message-Id: <29c6287287c9f26c1d6f9fddf8d2852409bbbbec.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:31:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187600 From: Meenali Gupta Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder. Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- .../flac/files/CVE-2020-22219.patch | 197 ++++++++++++++++++ meta/recipes-multimedia/flac/flac_1.3.4.bb | 1 + 2 files changed, 198 insertions(+) create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch diff --git a/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch new file mode 100644 index 0000000000..e042872dc0 --- /dev/null +++ b/meta/recipes-multimedia/flac/files/CVE-2020-22219.patch @@ -0,0 +1,197 @@ +From 579ff6922089cbbbd179619e40e622e279bd719f Mon Sep 17 00:00:00 2001 +From: Martijn van Beurden +Date: Wed, 3 Aug 2022 13:52:19 +0200 +Subject: [PATCH] flac: Add and use _nofree variants of safe_realloc functions + +Parts of the code use realloc like + +x = safe_realloc(x, somesize); + +when this is the case, the safe_realloc variant used must free the +old memory block in case it fails, otherwise it will leak. However, +there are also instances in the code where handling is different: + +if (0 == (x = safe_realloc(y, somesize))) + return false + +in this case, y should not be freed, as y is not set to NULL we +could encounter double frees. Here the safe_realloc_nofree +functions are used. + +Upstream-Status: Backport [https://github.com/xiph/flac/commit/21fe95ee828b0b9b944f6aa0bb02d24fbb981815] +CVE: CVE-2020-22219 + +Signed-off-by: Meenali Gupta +--- + include/share/alloc.h | 41 +++++++++++++++++++++++++++++++---- + src/flac/encode.c | 4 ++-- + src/flac/foreign_metadata.c | 2 +- + src/libFLAC/bitwriter.c | 2 +- + src/libFLAC/metadata_object.c | 2 +- + src/plugin_common/tags.c | 2 +- + src/share/utf8/iconvert.c | 2 +- + 7 files changed, 44 insertions(+), 11 deletions(-) + +diff --git a/include/share/alloc.h b/include/share/alloc.h +index 914de9b..55bdd1d 100644 +--- a/include/share/alloc.h ++++ b/include/share/alloc.h +@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size) + free(oldptr); + return newptr; + } +-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2) ++static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2) ++{ ++ size2 += size1; ++ if(size2 < size1) ++ return 0; ++ return realloc(ptr, size2); ++} ++ ++static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) + { + size2 += size1; + if(size2 < size1) { + free(ptr); + return 0; + } +- return realloc(ptr, size2); ++ size3 += size2; ++ if(size3 < size2) { ++ free(ptr); ++ return 0; ++ } ++ return safe_realloc_(ptr, size3); + } + +-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) ++static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3) + { + size2 += size1; + if(size2 < size1) +@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, + return realloc(ptr, size3); + } + +-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) ++static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4) + { + size2 += size1; + if(size2 < size1) +@@ -205,6 +218,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2) + return safe_realloc_(ptr, size1*size2); + } + ++static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2) ++{ ++ if(!size1 || !size2) ++ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ ++ if(size1 > SIZE_MAX / size2) ++ return 0; ++ return realloc(ptr, size1*size2); ++} ++ + /* size1 * (size2 + size3) */ + static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) + { +@@ -216,4 +238,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, + return safe_realloc_mul_2op_(ptr, size1, size2); + } + ++/* size1 * (size2 + size3) */ ++static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3) ++{ ++ if(!size1 || (!size2 && !size3)) ++ return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */ ++ size2 += size3; ++ if(size2 < size3) ++ return 0; ++ return safe_realloc_nofree_mul_2op_(ptr, size1, size2); ++} ++ + #endif +diff --git a/src/flac/encode.c b/src/flac/encode.c +index a9b907f..f87250c 100644 +--- a/src/flac/encode.c ++++ b/src/flac/encode.c +@@ -1743,10 +1743,10 @@ static void static_metadata_clear(static_metadata_t *m) + static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete) + { + void *x; +- if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) ++ if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/))) + return false; + m->metadata = (FLAC__StreamMetadata**)x; +- if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) ++ if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/))) + return false; + m->needs_delete = (FLAC__bool*)x; + m->metadata[m->num_metadata] = d; +diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c +index 9ad9c18..fdfb3cf 100644 +--- a/src/flac/foreign_metadata.c ++++ b/src/flac/foreign_metadata.c +@@ -75,7 +75,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er + + static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error) + { +- foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); ++ foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/); + if(fb) { + fb[fm->num_blocks].offset = offset; + fb[fm->num_blocks].size = size; +diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c +index 6e86585..a510b0d 100644 +--- a/src/libFLAC/bitwriter.c ++++ b/src/libFLAC/bitwriter.c +@@ -124,7 +124,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add) + FLAC__ASSERT(new_capacity > bw->capacity); + FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD)); + +- new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); ++ new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity); + if(new_buffer == 0) + return false; + bw->buffer = new_buffer; +diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c +index de8e513..aef65be 100644 +--- a/src/libFLAC/metadata_object.c ++++ b/src/libFLAC/metadata_object.c +@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint + /* realloc() failure leaves entry unchanged */ + static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length) + { +- FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1); ++ FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1); + if (x != NULL) { + x[length] = '\0'; + *entry = x; +diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c +index ae440c5..dfa10d3 100644 +--- a/src/plugin_common/tags.c ++++ b/src/plugin_common/tags.c +@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char + const size_t value_len = strlen(value); + const size_t separator_len = strlen(separator); + FLAC__byte *new_entry; +- if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) ++ if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1))) + return false; + memcpy(new_entry+entry->length, separator, separator_len); + entry->length += separator_len; +diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c +index 8ab53c1..876c06e 100644 +--- a/src/share/utf8/iconvert.c ++++ b/src/share/utf8/iconvert.c +@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode, + iconv_close(cd1); + return ret; + } +- newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); ++ newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1); + if (!newbuf) + goto fail; + ob = (ob - utfbuf) + newbuf; +-- +2.40.0 diff --git a/meta/recipes-multimedia/flac/flac_1.3.4.bb b/meta/recipes-multimedia/flac/flac_1.3.4.bb index 012da0a0a0..1a44718bba 100644 --- a/meta/recipes-multimedia/flac/flac_1.3.4.bb +++ b/meta/recipes-multimedia/flac/flac_1.3.4.bb @@ -15,6 +15,7 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \ DEPENDS = "libogg" SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \ + file://CVE-2020-22219.patch \ " SRC_URI[sha256sum] = "8ff0607e75a322dd7cd6ec48f4f225471404ae2730d0ea945127b1355155e737" From patchwork Wed Sep 13 14:30:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30408 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1590EDEC6A for ; Wed, 13 Sep 2023 14:31:06 +0000 (UTC) Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by mx.groups.io with SMTP id smtpd.web11.13610.1694615462931091758 for ; Wed, 13 Sep 2023 07:31:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PxWsYNgw; spf=softfail (domain: sakoman.com, ip: 209.85.215.170, mailfrom: steve@sakoman.com) Received: by mail-pg1-f170.google.com with SMTP id 41be03b00d2f7-517ab9a4a13so5379221a12.1 for ; Wed, 13 Sep 2023 07:31:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615462; x=1695220262; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BfZrC1bh45PRITjcINwyEBSAoM6jAOXgjcOK/3ozmt4=; b=PxWsYNgwl1wLOcGbJu5Gxo0eH2gwbQCqNFbOIruPNbCLOyU1jxoohQrbHj1fcLjIRu jN6YmW6pbEsHH6+Ghps60GjelfVrgWwxDOhnHGqQi9ixI1K3uZOOKAZ5iHlchP7L3Pn0 couopWIUTFtUpZQVRtKa8oTNs3dtlARDv8OP5byIPk1nGo7/NtdvbhAwLbX977T3Lm/a /HA6FfQCQnIEmGE15ttqvMMpSMsG7KILnh8/Ooj45g9itqSoG2QbuUBYPdYqVThvH2OK tvgJsDwxtgf2b22/BxmjIBNRmxF95P6Jf2xCjomnno6oQLTdQ12qVXIkREiQmc2nv82f N5Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615462; x=1695220262; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BfZrC1bh45PRITjcINwyEBSAoM6jAOXgjcOK/3ozmt4=; b=I10N1bMEGZuZ5VrMWAWI0f2LsCkQDuo4TIXmFKVTnRRFD6vV3NIlFGGIGHAflYACK/ D3DyvDusjassx0l5qLslBWjtcWzAbQ17tXbYB743QJZ8xYRUqfpUkZyh+49n7+FE37xc 3QHRUqlKZXnQot/hR9D67hmMjdJVvrfWIFI80qihgi5Jmp+WhPaEVla99Gc31wz2A07n TCpIRfiGCl1aMZrheheUi9JHM9y8h1q8bal+fSgUvusm5wAfBLO7CUaPPmbXFAuIQiSa k2rCSBjWmLo5S1K0Bup1UoJn3x4IVP2YLEvZjQsiN3ZuxIsh9VH53AraPDq4Pf9O1OXb M6fg== X-Gm-Message-State: AOJu0YwMJiwYHxeajfs4ILyqtBrMLYjla0kl9zqVFgOQghP/3W2w2B/R dSfaA4CI2c4888IK0HHvdBBTDiLXCANLaoiPEuI= X-Google-Smtp-Source: AGHT+IFWwYLFU5up6tW2gPvBlBYIM+eUt60pAd7m4lszkKUItr/6IwLg27xNZIuPmMkwW9MsVRcKBg== X-Received: by 2002:a05:6a20:7489:b0:153:7515:9919 with SMTP id p9-20020a056a20748900b0015375159919mr2806966pzd.21.1694615461553; Wed, 13 Sep 2023 07:31:01 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.31.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:31:00 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/8] webkitgtk: fix CVE-2022-48503 Date: Wed, 13 Sep 2023 04:30:38 -1000 Message-Id: <8f956bc19963a02ee7b908bb49301a2ea5052066.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:31:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187601 From: Yogita Urade The issue was addressed with improved bounds checks. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2022-48503 https://support.apple.com/en-us/HT213340 https://bugs.webkit.org/show_bug.cgi?id=241931 Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- .../webkit/webkitgtk/CVE-2022-48503.patch | 225 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 226 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch new file mode 100644 index 0000000000..b67751736d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch @@ -0,0 +1,225 @@ +From 612c245823a515c8c70c2ad486957bd8a850f0f9 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki +Date: Tue, 5 Sep 2023 08:40:19 +0000 +Subject: [PATCH] [JSC] Refactor wasm section ordering code + https://bugs.webkit.org/show_bug.cgi?id=241931 rdar://83326477 + +Reviewed by Keith Miller. + +This patch refactors existing validateOrder code since it is too adhoc right now. + +* Source/JavaScriptCore/wasm/WasmModuleInformation.h: +(JSC::Wasm::ModuleInformation::dataSegmentsCount const): +* Source/JavaScriptCore/wasm/WasmSectionParser.cpp: +(JSC::Wasm::SectionParser::parseData): +(JSC::Wasm::SectionParser::parseDataCount): +* Source/JavaScriptCore/wasm/WasmSectionParser.h: +* Source/JavaScriptCore/wasm/WasmSections.h: +(JSC::Wasm::orderingNumber): +(JSC::Wasm::isKnownSection): +(JSC::Wasm::validateOrder): +(JSC::Wasm::makeString): +* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp: +(JSC::Wasm::StreamingParser::parseSectionPayload): +(JSC::Wasm::StreamingParser::finalize): + +Canonical link: https://commits.webkit.org/251800@main + +CVE: CVE-2022-48503 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/612c245823a515c8c70c2ad486957bd8a850f0f9] + +Signed-off-by: Yogita Urade +--- + .../wasm/WasmModuleInformation.h | 4 +- + .../JavaScriptCore/wasm/WasmSectionParser.cpp | 3 ++ + .../JavaScriptCore/wasm/WasmSectionParser.h | 2 +- + Source/JavaScriptCore/wasm/WasmSections.h | 52 +++++++++++-------- + .../wasm/WasmStreamingParser.cpp | 11 +++- + 5 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/Source/JavaScriptCore/wasm/WasmModuleInformation.h b/Source/JavaScriptCore/wasm/WasmModuleInformation.h +index ae6bbeed..f9f1baf7 100644 +--- a/Source/JavaScriptCore/wasm/WasmModuleInformation.h ++++ b/Source/JavaScriptCore/wasm/WasmModuleInformation.h +@@ -86,7 +86,7 @@ struct ModuleInformation : public ThreadSafeRefCounted { + uint32_t memoryCount() const { return memory ? 1 : 0; } + uint32_t tableCount() const { return tables.size(); } + uint32_t elementCount() const { return elements.size(); } +- uint32_t dataSegmentsCount() const { return numberOfDataSegments; } ++ uint32_t dataSegmentsCount() const { return numberOfDataSegments.value_or(0); } + + const TableInformation& table(unsigned index) const { return tables[index]; } + +@@ -131,7 +131,7 @@ struct ModuleInformation : public ThreadSafeRefCounted { + Vector customSections; + Ref nameSection; + BranchHints branchHints; +- uint32_t numberOfDataSegments { 0 }; ++ std::optional numberOfDataSegments; + + BitVector m_declaredFunctions; + BitVector m_declaredExceptions; +diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +index 5b511811..c55ee3c0 100644 +--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp ++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +@@ -768,6 +768,8 @@ auto SectionParser::parseData() -> PartialResult + uint32_t segmentCount; + WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data section's count"); + WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count is too big ", segmentCount, " maximum ", maxDataSegments); ++ if (m_info->numberOfDataSegments) ++ WASM_PARSER_FAIL_IF(segmentCount != m_info->numberOfDataSegments.value(), "Data section's count ", segmentCount, " is different from Data Count section's count ", m_info->numberOfDataSegments.value()); + WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), "can't allocate enough memory for Data section's ", segmentCount, " segments"); + + for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; ++segmentNumber) { +@@ -847,6 +849,7 @@ auto SectionParser::parseDataCount() -> PartialResult + { + uint32_t numberOfDataSegments; + WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get Data Count section's count"); ++ WASM_PARSER_FAIL_IF(numberOfDataSegments > maxDataSegments, "Data Count section's count is too big ", numberOfDataSegments , " maximum ", maxDataSegments); + + m_info->numberOfDataSegments = numberOfDataSegments; + return { }; +diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.h b/Source/JavaScriptCore/wasm/WasmSectionParser.h +index 91fd3ed8..4d7dcbac 100644 +--- a/Source/JavaScriptCore/wasm/WasmSectionParser.h ++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.h +@@ -44,7 +44,7 @@ public: + { + } + +-#define WASM_SECTION_DECLARE_PARSER(NAME, ID, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME(); ++#define WASM_SECTION_DECLARE_PARSER(NAME, ID, ORDERING, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME(); + FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_DECLARE_PARSER) + #undef WASM_SECTION_DECLARE_PARSER + +diff --git a/Source/JavaScriptCore/wasm/WasmSections.h b/Source/JavaScriptCore/wasm/WasmSections.h +index bef20701..b422a587 100644 +--- a/Source/JavaScriptCore/wasm/WasmSections.h ++++ b/Source/JavaScriptCore/wasm/WasmSections.h +@@ -33,20 +33,21 @@ IGNORE_RETURN_TYPE_WARNINGS_BEGIN + + namespace JSC { namespace Wasm { + ++// macro(Name, ID, OrderingNumber, Description). + #define FOR_EACH_KNOWN_WASM_SECTION(macro) \ +- macro(Type, 1, "Function signature declarations") \ +- macro(Import, 2, "Import declarations") \ +- macro(Function, 3, "Function declarations") \ +- macro(Table, 4, "Indirect function table and other tables") \ +- macro(Memory, 5, "Memory attributes") \ +- macro(Global, 6, "Global declarations") \ +- macro(Export, 7, "Exports") \ +- macro(Start, 8, "Start function declaration") \ +- macro(Element, 9, "Elements section") \ +- macro(Code, 10, "Function bodies (code)") \ +- macro(Data, 11, "Data segments") \ +- macro(DataCount, 12, "Data count") \ +- macro(Exception, 13, "Exception declarations") \ ++ macro(Type, 1, 1, "Function signature declarations") \ ++ macro(Import, 2, 2, "Import declarations") \ ++ macro(Function, 3, 3, "Function declarations") \ ++ macro(Table, 4, 4, "Indirect function table and other tables") \ ++ macro(Memory, 5, 5, "Memory attributes") \ ++ macro(Global, 6, 7, "Global declarations") \ ++ macro(Export, 7, 8, "Exports") \ ++ macro(Start, 8, 9, "Start function declaration") \ ++ macro(Element, 9, 10, "Elements section") \ ++ macro(Code, 10, 12, "Function bodies (code)") \ ++ macro(Data, 11, 13, "Data segments") \ ++ macro(DataCount, 12, 11, "Data count") \ ++ macro(Exception, 13, 6, "Exception declarations") \ + + enum class Section : uint8_t { + // It's important that Begin is less than every other section number and that Custom is greater. +@@ -54,18 +55,29 @@ enum class Section : uint8_t { + // Also, Begin is not a real section but is used as a marker for validating the ordering + // of sections. + Begin = 0, +-#define DEFINE_WASM_SECTION_ENUM(NAME, ID, DESCRIPTION) NAME = ID, ++#define DEFINE_WASM_SECTION_ENUM(NAME, ID, ORDERING, DESCRIPTION) NAME = ID, + FOR_EACH_KNOWN_WASM_SECTION(DEFINE_WASM_SECTION_ENUM) + #undef DEFINE_WASM_SECTION_ENUM + Custom + }; + static_assert(static_cast(Section::Begin) < static_cast(Section::Type), "Begin should come before the first known section."); + ++inline unsigned orderingNumber(Section section) ++{ ++ switch (section) { ++#define ORDERING_OF_SECTION(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return ORDERING; ++ FOR_EACH_KNOWN_WASM_SECTION(ORDERING_OF_SECTION) ++#undef VALIDATE_SECTION ++ default: ++ return static_cast(section); ++ } ++} ++ + template + inline bool isKnownSection(Int section) + { + switch (section) { +-#define VALIDATE_SECTION(NAME, ID, DESCRIPTION) case static_cast(Section::NAME): return true; ++#define VALIDATE_SECTION(NAME, ID, ORDERING, DESCRIPTION) case static_cast(Section::NAME): return true; + FOR_EACH_KNOWN_WASM_SECTION(VALIDATE_SECTION) + #undef VALIDATE_SECTION + default: +@@ -89,13 +101,7 @@ inline bool decodeSection(uint8_t sectionByte, Section& section) + inline bool validateOrder(Section previousKnown, Section next) + { + ASSERT(isKnownSection(previousKnown) || previousKnown == Section::Begin); +- if (previousKnown == Section::DataCount && next == Section::Code) +- return true; +- if (previousKnown == Section::Exception) +- return next >= Section::Global; +- if (next == Section::Exception) +- return previousKnown <= Section::Memory; +- return static_cast(previousKnown) < static_cast(next); ++ return orderingNumber(previousKnown) < orderingNumber(next); + } + + inline const char* makeString(Section section) +@@ -105,7 +111,7 @@ inline const char* makeString(Section section) + return "Begin"; + case Section::Custom: + return "Custom"; +-#define STRINGIFY_SECTION_NAME(NAME, ID, DESCRIPTION) case Section::NAME: return #NAME; ++#define STRINGIFY_SECTION_NAME(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return #NAME; + FOR_EACH_KNOWN_WASM_SECTION(STRINGIFY_SECTION_NAME) + #undef STRINGIFY_SECTION_NAME + } +diff --git a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp +index fa552eff..25e7e32d 100644 +--- a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp ++++ b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp +@@ -161,7 +161,7 @@ auto StreamingParser::parseSectionPayload(Vector&& data) -> State + { + SectionParser parser(data.data(), data.size(), m_offset, m_info.get()); + switch (m_section) { +-#define WASM_SECTION_PARSE(NAME, ID, DESCRIPTION) \ ++#define WASM_SECTION_PARSE(NAME, ID, ORDERING, DESCRIPTION) \ + case Section::NAME: { \ + WASM_STREAMING_PARSER_FAIL_IF_HELPER_FAILS(parser.parse ## NAME()); \ + break; \ +@@ -393,9 +393,18 @@ auto StreamingParser::finalize() -> State + m_state = fail("Number of functions parsed (", m_functionCount, ") does not match the number of declared functions (", m_info->functions.size(), ")"); + break; + } ++ ++ if (m_info->numberOfDataSegments) { ++ if (UNLIKELY(m_info->data.size() != m_info->numberOfDataSegments.value())) { ++ m_state = fail("Data section's count ", m_info->data.size(), " is different from Data Count section's count ", m_info->numberOfDataSegments.value()); ++ break; ++ } ++ } ++ + if (m_remaining.isEmpty()) { + if (UNLIKELY(Options::useEagerWebAssemblyModuleHashing())) + m_info->nameSection->setHash(m_hasher.computeHexDigest()); ++ + m_state = State::Finished; + m_client.didFinishParsing(); + } else +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 20f475bebd..10fcd0813a 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://CVE-2022-42867.patch \ file://CVE-2022-46700.patch \ file://CVE-2023-23529.patch \ + file://CVE-2022-48503.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" From patchwork Wed Sep 13 14:30:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30407 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1057EDEC65 for ; Wed, 13 Sep 2023 14:31:06 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web10.13485.1694615466222083254 for ; Wed, 13 Sep 2023 07:31:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jaPw4zdS; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-68fcb4dc8a9so2901708b3a.2 for ; Wed, 13 Sep 2023 07:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615465; x=1695220265; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=N9aGT/7/825a42mBt42OGNZeJrEjSeiRVz2jM12wDR4=; b=jaPw4zdSAK/PGt25+Pts5CMbWEvIYsGNHQXoAIJKTZTDhIMVskaTQcW2VCciooAtNx T+0pdp4KECo0q1c2p9hwCsvB4uCtxsTBOr+eCq3WRdzgdX+lxHmZ+s7Aw9da4JCgG9Jb fX3xf/d17M7dstj8OYjs4hFcwKPgMCWwD/Oy6ZoPcL8ZyTSKa5FqtdxN3k9GJ5cru76s JAe91zLu0ls3TE55U1dg6XGJNDU2awobgzcVeY3Dms75pGIEtNR7T1pCpVU3Cyinu/qO ZRp3Ny/COD03BeJUDVlIyKAks8g4HQsrsuAILDOO1YE2bZ8n3UGby31CSf+XYxFEweDg zOsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615465; x=1695220265; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N9aGT/7/825a42mBt42OGNZeJrEjSeiRVz2jM12wDR4=; b=U/Yet9UarV5w4xMz82Hu7TGQINha9KHa3gYmfH6st4lUgfTPhVxaiKpL+Z6hL3N5QL HEfuSNL3iWAKW2gI3rpyQbX9mot+RNYAXkdey1RSbnCSMaz3IBl8y5yTKTuan0d/QXDZ VPZjuoePPUEDTIUvwibBRFmLCE2OR972JgX+RYDzciwTb/GwQPFZQoybBJttahmNeF3p m2oD98aOA0H1DRg+o3fGXHvhTz3CiHI/1M9srs4e5JtuEGVArsmik+A7M9KKaIiaL3nl 6u+426+lMsRlV+57/zQzGvsobM97uj3QFWZ85q9+Lf4J5rzWUDVHeubYX4/TVLJ6jeRT VR1A== X-Gm-Message-State: AOJu0Yz+6dWlIACnssioIuZI0YnMhZybMJGyEl0Ozv7xVxb+psVjXE6i WzcvD0km9WMZAdjGzSK85ViHAjVNiBxdM0jd3VA= X-Google-Smtp-Source: AGHT+IEboRO6lI6J9zltFVmgtS4azDUBZwEAC2aMV9gfSVCOSp/DyDsi1lXeHO/QZFAlhUVtLS+JlQ== X-Received: by 2002:a05:6a00:39a5:b0:68f:c261:ddfe with SMTP id fi37-20020a056a0039a500b0068fc261ddfemr2818702pfb.28.1694615464760; Wed, 13 Sep 2023 07:31:04 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.31.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:31:03 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/8] gdb: Fix CVE-2023-39128 Date: Wed, 13 Sep 2023 04:30:39 -1000 Message-Id: <1a19a101cecc578aac84e365a361b76f129fe655.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:31:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187602 From: Siddharth Doshi Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- meta/recipes-devtools/gdb/gdb.inc | 1 + .../gdb/gdb/0011-CVE-2023-39128.patch | 75 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 649ee28727..099bd2d8f5 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,5 +14,6 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0008-resolve-restrict-keyword-conflict.patch \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ + file://0011-CVE-2023-39128.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch new file mode 100644 index 0000000000..53b49cb21d --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 70a2b44..f682302 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include + #include "ada-exp.h" + +@@ -1057,7 +1058,7 @@ ada_decode (const char *encoded, bool wrap) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1225,6 +1226,18 @@ ada_decode (const char *encoded, bool wrap) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -13497,4 +13510,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.35.7 + From patchwork Wed Sep 13 14:30:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30409 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D04D4EDEC66 for ; Wed, 13 Sep 2023 14:31:16 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web10.13491.1694615468483178770 for ; Wed, 13 Sep 2023 07:31:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=YVhD4BD6; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-68fc081cd46so3193245b3a.0 for ; Wed, 13 Sep 2023 07:31:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694615467; x=1695220267; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=f/N/udGn6sNecScK3cObMOu0ZKZhmOhVngaykRJTIcY=; b=YVhD4BD6cWGhyO8GtTc/4kOru7/SWgPPKfHr6iiExknYr4dgJM8HmEKv1Za3e9g43i uHcl8l0/H+VmoUHT/fYU9mfTHhEIqW9aW51e3qClh+DHHK1OdzFfVpEgtJdzUlRoB7B4 DENOMxVB0Tvj6E0uRJs2xo9xZ/WTMJfQ8BGXIzn117jaRBvvREd4ZAiS4EPG7Oe6d60o HEUsAV0X2U/ehKUumQlSnQoB8MbhgC+fEMzdPeXRIvUGdtE/mGGDWmeR3tmBoYPvMrA/ q98BknYnMN5U/mSkk0gjPH93+2PxpDs1EY6mGdx427CfBmx3r79cHeJUpKbncHazy4R5 lF8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694615467; x=1695220267; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f/N/udGn6sNecScK3cObMOu0ZKZhmOhVngaykRJTIcY=; b=aFzrgzmskE28q3sY/k7jrR7RJ5zbcncRfM/cCCUh54DBHQ9mJncifILwVjHgMiQonN tfbZgMmvml3xwjYIZHlc5IF4dGaNDP+6XPyxg68yLdk1de5XJVkFTKkdKRhOserhc0CK KZuZL63edylC9WEar0DAMXwySkyvlGFOynF8f80xmJMVJ/lWF2SsU3q5t7EgATit85zy y1OeyjksNftnwO3LICzF8N7ryK61tIqCWPWFxpPw+hsU6nwSHDKhJA8dOLtIWs+dwpiq z4G3aiYzAhFh9tS3B8NPqtKrKJjX+XDw+y2X1Jh/tWq1df+/F6kqYwV7zVqj2xgOtChI UugA== X-Gm-Message-State: AOJu0YwZMPbVyfyQQMJ7OkKDcZJhJTaYT9YSUsoQ/RGZzxBkbwu1ELTE Fnk6VF0U94TNng3UIxQNGtamxb4xYTZCz0F5r9U= X-Google-Smtp-Source: AGHT+IFbY9AesKxOAeCsdWeQNKR0yBdz6muQJujbrv+tzetH1PM1ENjFqM62GrAJS8fh0IH+Wb6G/Q== X-Received: by 2002:a05:6a21:3d89:b0:133:f5c1:57bb with SMTP id bj9-20020a056a213d8900b00133f5c157bbmr2222725pzc.20.1694615467205; Wed, 13 Sep 2023 07:31:07 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id u2-20020aa78382000000b00686ec858fb0sm9185796pfm.190.2023.09.13.07.31.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Sep 2023 07:31:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 8/8] yocto-uninative: Update to 4.3 Date: Wed, 13 Sep 2023 04:30:40 -1000 Message-Id: <26309ba6ef5b776d6bc45b984261b91e6c8c5a94.1694613269.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Sep 2023 14:31:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187603 From: Michael Halstead Add in stable updates to glibc 2.38 to fix malloc bugs Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1) Signed-off-by: Steve Sakoman --- meta/conf/distro/include/yocto-uninative.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 6596c0f4a2..eaa3e9b31c 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -7,9 +7,9 @@ # UNINATIVE_MAXGLIBCVERSION = "2.38" -UNINATIVE_VERSION = "4.2" +UNINATIVE_VERSION = "4.3" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "cff40e7bdde50aeda06707af8c001796a71b4cf33c5ae1616e5c47943ff6b94e" -UNINATIVE_CHECKSUM[i686] ?= "a70516447e9a9f1465ffaf1c7f89e79d1692d2356d86fd2a5a63acd908db1ff2" -UNINATIVE_CHECKSUM[x86_64] ?= "6a86d71eeafba4fefec600c9bf8cf4a01324d1eb52788b6e398d3f23c10d19fb" +UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec" +UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd" +UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030"