From patchwork Sat Sep 30 19:39:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2D90E728E1 for ; Sat, 30 Sep 2023 19:40:24 +0000 (UTC) Received: from mail-oa1-f46.google.com (mail-oa1-f46.google.com [209.85.160.46]) by mx.groups.io with SMTP id smtpd.web11.47401.1696102821699495219 for ; Sat, 30 Sep 2023 12:40:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yTRJnJdy; spf=softfail (domain: sakoman.com, ip: 209.85.160.46, mailfrom: steve@sakoman.com) Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-1dd8304b980so3595799fac.2 for ; Sat, 30 Sep 2023 12:40:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102820; x=1696707620; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mC+3C8oxYwk136v1RPQ41CWRX6xO+vAEuFcidQxvvko=; b=yTRJnJdyNFIISQIuRrR4yALlWyUr/AWwgvfO/nJq/vAuavxNVrYDbN/NOoU7EpYejo 9Cyq2aZe2qTGciNdSVi8q6WkPHa3x2K9faZaJ6O5VkqxfdVl7u4of43+KBMmBIirczK3 KLZ3nYfmc5RUAPCNzNUNsVJA11GqUfCJKpOmYQSXeqPvuYWdXkKLrnPx7Lwm4wglLIeQ NRIMfCNowhKQusS9YthFY9RAwXov8fVF45H+Tsz4DOYf0Cz2Nwv8QRWy9s71lh7T8q5M BXhrNVgf++nn4r8nc3IfKZiYUVxkb7xm4PptJqXxgDsJ6lBbmsqZqxg8FoGWMLIveEOi UcTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102820; x=1696707620; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mC+3C8oxYwk136v1RPQ41CWRX6xO+vAEuFcidQxvvko=; b=i7hCW16EK0qW/LcCZZWSYsCgjeEbg3hOS6mPZbSWNuz0g2GCmpr7VIxBIUFJvj+hEf rAYv+FYNxH8EcNNpDexHtJ0E3YGDSXBwnZVvhhaoZmaV9SwjiSPznquCE8IC1wiruQ8X 3BRXV+/mW5Hyyni8sE1FmMC688In2Ew2g0pp7GpwpEb/wmb28caELWJYeG9kN6IFYoOX L7hL7T0eYenxEv1TipnP/MecyO62c47L3WOkF9YQiLiA2wp0z6It+ENuWW6AovCSGyuI ZZpPLne2DDgRIeBUxIcp0ufVHDZaUDLizFfEy9r89QX0bp72rwFF4OCfzC0qMCbKLUfY 0HLA== X-Gm-Message-State: AOJu0YycnUxINoRWxYFrkJN4MuScPK7AFO4pOaPmBkpzg3XUpiZKoIwF t6IOqBaQkILGOPsxPWgZVE9IZVikFsPm/gmTojA= X-Google-Smtp-Source: AGHT+IHB6iYoixgGKZyLeB6pCxzJbZVJivIATxJuIRSTtbKTJxWC7PGOZAv5hMBDWsffTN7htIqIkg== X-Received: by 2002:a05:6870:1691:b0:1d7:876:c825 with SMTP id j17-20020a056870169100b001d70876c825mr8912307oae.48.1696102820602; Sat, 30 Sep 2023 12:40:20 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/13] mdadm: Backport fix for CVE-2023-28736 Date: Sat, 30 Sep 2023 09:39:58 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188466 From: Ashish Sharma Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../mdadm/files/CVE-2023-28736.patch | 77 +++++++++++++++++++ meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch new file mode 100644 index 0000000000..8e0a06cbc7 --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch @@ -0,0 +1,77 @@ +From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001 +From: Blazej Kucman +Date: Fri, 3 Dec 2021 15:31:15 +0100 +Subject: mdadm: block creation with long names + +This fixes buffer overflows in create_mddev(). It prohibits +creation with not supported names for DDF and native. For IMSM, +mdadm will do silent cut to 16 later. + +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Blazej Kucman +Signed-off-by: Jes Sorensen +--- + +Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce] +CVE: CVE-2023-28736 +Signed-off-by: Ashish Sharma + + mdadm.8.in | 5 +++++ + mdadm.c | 9 ++++++++- + mdadm.h | 5 +++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/mdadm.8.in b/mdadm.8.in +index 28d773c2..68e100cb 100644 +--- a/mdadm.8.in ++++ b/mdadm.8.in +@@ -2186,6 +2186,11 @@ is run, but will be created by + .I udev + once the array becomes active. + ++The max length md-device name is limited to 32 characters. ++Different metadata types have more strict limitation ++(like IMSM where only 16 characters are allowed). ++For that reason, long name could be truncated or rejected, it depends on metadata policy. ++ + As devices are added, they are checked to see if they contain RAID + superblocks or filesystems. They are also checked to see if the variance in + device size exceeds 1%. +diff --git a/mdadm.c b/mdadm.c +index 91e67467..26299b2e 100644 +--- a/mdadm.c ++++ b/mdadm.c +@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[]) + mdfd = open_mddev(devlist->devname, 1); + if (mdfd < 0) + exit(1); +- } else ++ } else { ++ char *bname = basename(devlist->devname); ++ ++ if (strlen(bname) > MD_NAME_MAX) { ++ pr_err("Name %s is too long.\n", devlist->devname); ++ exit(1); ++ } + /* non-existent device is OK */ + mdfd = open_mddev(devlist->devname, 0); ++ } + if (mdfd == -2) { + pr_err("device %s exists but is not an md array.\n", devlist->devname); + exit(1); +diff --git a/mdadm.h b/mdadm.h +index 54567396..c7268a71 100644 +--- a/mdadm.h ++++ b/mdadm.h +@@ -1880,3 +1880,8 @@ enum r0layout { + #define INVALID_SECTORS 1 + /* And another special number needed for --data_offset=variable */ + #define VARIABLE_OFFSET 3 ++ ++/** ++ * This is true for native and DDF, IMSM allows 16. ++ */ ++#define MD_NAME_MAX 32 +-- +cgit + diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb index bb77759cf9..5238a41df2 100644 --- a/meta/recipes-extended/mdadm/mdadm_4.1.bb +++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb @@ -24,6 +24,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ file://include_sysmacros.patch \ file://0001-mdadm-skip-test-11spare-migration.patch \ + file://CVE-2023-28736.patch \ " SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" From patchwork Sat Sep 30 19:39:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31448 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F076AE743DD for ; Sat, 30 Sep 2023 19:40:24 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web10.47631.1696102823701251899 for ; Sat, 30 Sep 2023 12:40:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pRuZ3bNw; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-690bccb0d8aso12422515b3a.0 for ; Sat, 30 Sep 2023 12:40:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102823; x=1696707623; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MOIddVUGKadfLmJU0nNzmOYxdEJoO2HHcoYHuZNbqI0=; b=pRuZ3bNwdnT0+cgqaXwA5ly41sM3J6Ar/Y3EhGVGE03x0mwaiaXwf9CoD35JTC7XQx l+kVhGn2/rG8VcCMifkRpATPh36oymE1qKviapvIWcjSSJZXNfXlqqCWUXtMoviG1Ad1 AV7SRqAOSqJDnAz/6e9UsgOtsDH4RvOWlMSGSCBKzrTN2gOCODvFAX0oAt28UilfoJZk n8fyEtK/vEjf32Qf0kJeHvUDNUpsbq0XMp11iuTkC1g5ie4f7CgFPKHSuWeQ+xgyqPwD WBTsf35X0x/jxNe3Y/Zoi4ZRDsf2XZGy+W+rUsPkqSpRQcyqz4gGH59C+CSaH2GsYaoJ 2MwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102823; x=1696707623; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MOIddVUGKadfLmJU0nNzmOYxdEJoO2HHcoYHuZNbqI0=; b=MapiyUq7d4Zoc9ekvcUvcIeRwCz77SASFhmUIyfX3QdMFWZ4piFoUhhXZc6+GTXMhh Vm8P+lrOsS53TFCbIo4CwCVFVvNWQgET01HUD28/k0CELRvRxb1uTCtDDytM0HH2adU0 pOCLmXh/6JFZqwKfU+otXIajGieSfOUqZR7h2niN8hWSZX9pds0EcePW5WYWtsdKVTPC w5EPMdmvdQZLMxl2fIPPkTz8u5in4TF8Opq2aBPzMpewwYVSdhDK07CtLAeySEKWMNYQ 4s8l9AE+dN+jfWp86jtL8WjTE/CZNNerqPTpAGt7lYGdjDwC0VFK23K3gg48aipx+rMu Uu3A== X-Gm-Message-State: AOJu0YyjiCaC0J/HazptrCxMhoN/jhaLjhx2ZpqSrzbuYivowzxN6hMc HoG7I/uMPGSt7uCpPkoQ/ooz4hu6XE9Z/98C4XU= X-Google-Smtp-Source: AGHT+IEI4w3uU7C3Wb2y/lwBS3QUtfeLLTmwIZtC/mkBGh/+1/oJpUhKWi2zDFkYnxaXeCpNvSdYCQ== X-Received: by 2002:a05:6a00:1495:b0:68f:e9ce:92a5 with SMTP id v21-20020a056a00149500b0068fe9ce92a5mr8082439pfu.4.1696102822383; Sat, 30 Sep 2023 12:40:22 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/13] libwebp: Fix CVE-2023-5129 Date: Sat, 30 Sep 2023 09:39:59 -1000 Message-Id: <2ab6568d35e3d68f77a73bf56eb2d38aa6ada236.1696102675.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188467 From: Colin McAllister Add patch from libwebp 1.1.0 to fix CVE-2023-5129. Signed-off-by: Colin McAllister Signed-off-by: Steve Sakoman --- .../webp/files/CVE-2023-5129.patch | 364 ++++++++++++++++++ meta/recipes-multimedia/webp/libwebp_1.1.0.bb | 1 + 2 files changed, 365 insertions(+) create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-5129.patch diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch new file mode 100644 index 0000000000..eb77e193c2 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch @@ -0,0 +1,364 @@ +From 12b11893edf6c201710ebeee7c84743a8573fad6 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Thu, 7 Sep 2023 21:16:03 +0200 +Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. + +First, BuildHuffmanTable is called to check if the data is valid. +If it is and the table is not big enough, more memory is allocated. + +This will make sure that valid (but unoptimized because of unbalanced +codes) streams are still decodable. + +Bug: chromium:1479274 +Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 + +CVE: CVE-2023-5129 +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/2af26267cdfcb63a88e5c74a85927a12d6ca1d76] +Signed-off-by: Colin McAllister +--- + src/dec/vp8l_dec.c | 46 ++++++++++--------- + src/dec/vp8li_dec.h | 2 +- + src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++-------- + src/utils/huffman_utils.h | 27 +++++++++-- + 4 files changed, 129 insertions(+), 43 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 93615d4e..0d38314d 100644 +--- a/src/dec/vp8l_dec.c ++++ b/src/dec/vp8l_dec.c +@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( + int symbol; + int max_symbol; + int prev_code_len = DEFAULT_CODE_LENGTH; +- HuffmanCode table[1 << LENGTHS_TABLE_BITS]; ++ HuffmanTables tables; + +- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS, +- code_length_code_lengths, +- NUM_CODE_LENGTH_CODES)) { ++ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) || ++ !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS, ++ code_length_code_lengths, NUM_CODE_LENGTH_CODES)) { + goto End; + } + +@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths( + int code_len; + if (max_symbol-- == 0) break; + VP8LFillBitWindow(br); +- p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; ++ p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK]; + VP8LSetBitPos(br, br->bit_pos_ + p->bits); + code_len = p->value; + if (code_len < kCodeLengthLiterals) { +@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths( + ok = 1; + + End: ++ VP8LHuffmanTablesDeallocate(&tables); + if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR; + return ok; + } +@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths( + // 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman + // tree. + static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec, +- int* const code_lengths, HuffmanCode* const table) { ++ int* const code_lengths, ++ HuffmanTables* const table) { + int ok = 0; + int size = 0; + VP8LBitReader* const br = &dec->br_; +@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + VP8LMetadata* const hdr = &dec->hdr_; + uint32_t* huffman_image = NULL; + HTreeGroup* htree_groups = NULL; +- HuffmanCode* huffman_tables = NULL; +- HuffmanCode* huffman_table = NULL; ++ HuffmanTables* huffman_tables = &hdr->huffman_tables_; + int num_htree_groups = 1; + int num_htree_groups_max = 1; + int max_alphabet_size = 0; +@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + int* mapping = NULL; + int ok = 0; + ++ // Check the table has been 0 initialized (through InitMetadata). ++ assert(huffman_tables->root.start == NULL); ++ assert(huffman_tables->curr_segment == NULL); ++ + if (allow_recursion && VP8LReadBits(br, 1)) { + // use meta Huffman codes. + const int huffman_precision = VP8LReadBits(br, 3) + 2; +@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + + code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size, + sizeof(*code_lengths)); +- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size, +- sizeof(*huffman_tables)); + htree_groups = VP8LHtreeGroupsNew(num_htree_groups); + +- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) { ++ if (htree_groups == NULL || code_lengths == NULL || ++ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size, ++ huffman_tables)) { + dec->status_ = VP8_STATUS_OUT_OF_MEMORY; + goto Error; + } + +- huffman_table = huffman_tables; + for (i = 0; i < num_htree_groups_max; ++i) { + // If the index "i" is unused in the Huffman image, just make sure the + // coefficients are valid but do not store them. +@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + int max_bits = 0; + for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) { + int alphabet_size = kAlphabetSize[j]; +- htrees[j] = huffman_table; + if (j == 0 && color_cache_bits > 0) { + alphabet_size += (1 << color_cache_bits); + } +- size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table); ++ size = ++ ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables); ++ htrees[j] = huffman_tables->curr_segment->curr_table; + if (size == 0) { + goto Error; + } + if (is_trivial_literal && kLiteralMap[j] == 1) { +- is_trivial_literal = (huffman_table->bits == 0); ++ is_trivial_literal = (htrees[j]->bits == 0); + } +- total_size += huffman_table->bits; +- huffman_table += size; ++ total_size += htrees[j]->bits; ++ huffman_tables->curr_segment->curr_table += size; + if (j <= ALPHA) { + int local_max_bits = code_lengths[0]; + int k; +@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize, + hdr->huffman_image_ = huffman_image; + hdr->num_htree_groups_ = num_htree_groups; + hdr->htree_groups_ = htree_groups; +- hdr->huffman_tables_ = huffman_tables; + + Error: + WebPSafeFree(code_lengths); + WebPSafeFree(mapping); + if (!ok) { + WebPSafeFree(huffman_image); +- WebPSafeFree(huffman_tables); ++ VP8LHuffmanTablesDeallocate(huffman_tables); + VP8LHtreeGroupsFree(htree_groups); + } + return ok; +@@ -1354,7 +1358,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) { + assert(hdr != NULL); + + WebPSafeFree(hdr->huffman_image_); +- WebPSafeFree(hdr->huffman_tables_); ++ VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_); + VP8LHtreeGroupsFree(hdr->htree_groups_); + VP8LColorCacheClear(&hdr->color_cache_); + VP8LColorCacheClear(&hdr->saved_color_cache_); +@@ -1670,7 +1674,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) { + // Sanity checks. + if (dec == NULL) return 0; + +- assert(dec->hdr_.huffman_tables_ != NULL); ++ assert(dec->hdr_.huffman_tables_.root.start != NULL); + assert(dec->hdr_.htree_groups_ != NULL); + assert(dec->hdr_.num_htree_groups_ > 0); + +diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h +index 72b2e861..32540a4b 100644 +--- a/src/dec/vp8li_dec.h ++++ b/src/dec/vp8li_dec.h +@@ -51,7 +51,7 @@ typedef struct { + uint32_t* huffman_image_; + int num_htree_groups_; + HTreeGroup* htree_groups_; +- HuffmanCode* huffman_tables_; ++ HuffmanTables huffman_tables_; + } VP8LMetadata; + + typedef struct VP8LDecoder VP8LDecoder; +diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c +index 0cba0fbb..9efd6283 100644 +--- a/src/utils/huffman_utils.c ++++ b/src/utils/huffman_utils.c +@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, + if (num_open < 0) { + return 0; + } +- if (root_table == NULL) continue; + for (; count[len] > 0; --count[len]) { + HuffmanCode code; + if ((key & mask) != low) { +- table += table_size; ++ if (root_table != NULL) table += table_size; + table_bits = NextTableBitSize(count, len, root_bits); + table_size = 1 << table_bits; + total_size += table_size; + low = key & mask; +- root_table[low].bits = (uint8_t)(table_bits + root_bits); +- root_table[low].value = (uint16_t)((table - root_table) - low); ++ if (root_table != NULL) { ++ root_table[low].bits = (uint8_t)(table_bits + root_bits); ++ root_table[low].value = (uint16_t)((table - root_table) - low); ++ } ++ } ++ if (root_table != NULL) { ++ code.bits = (uint8_t)(len - root_bits); ++ code.value = (uint16_t)sorted[symbol++]; ++ ReplicateValue(&table[key >> root_bits], step, table_size, code); + } +- code.bits = (uint8_t)(len - root_bits); +- code.value = (uint16_t)sorted[symbol++]; +- ReplicateValue(&table[key >> root_bits], step, table_size, code); + key = GetNextKey(key, len); + } + } +@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, + ((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES) + // Cut-off value for switching between heap and stack allocation. + #define SORTED_SIZE_CUTOFF 512 +-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, ++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, + const int code_lengths[], int code_lengths_size) { +- int total_size; ++ const int total_size = ++ BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL); + assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE); +- if (root_table == NULL) { +- total_size = BuildHuffmanTable(NULL, root_bits, +- code_lengths, code_lengths_size, NULL); +- } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) { ++ if (total_size == 0 || root_table == NULL) return total_size; ++ ++ if (root_table->curr_segment->curr_table + total_size >= ++ root_table->curr_segment->start + root_table->curr_segment->size) { ++ // If 'root_table' does not have enough memory, allocate a new segment. ++ // The available part of root_table->curr_segment is left unused because we ++ // need a contiguous buffer. ++ const int segment_size = root_table->curr_segment->size; ++ struct HuffmanTablesSegment* next = ++ (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next)); ++ if (next == NULL) return 0; ++ // Fill the new segment. ++ // We need at least 'total_size' but if that value is small, it is better to ++ // allocate a big chunk to prevent more allocations later. 'segment_size' is ++ // therefore chosen (any other arbitrary value could be chosen). ++ next->size = total_size > segment_size ? total_size : segment_size; ++ next->start = ++ (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start)); ++ if (next->start == NULL) { ++ WebPSafeFree(next); ++ return 0; ++ } ++ next->curr_table = next->start; ++ next->next = NULL; ++ // Point to the new segment. ++ root_table->curr_segment->next = next; ++ root_table->curr_segment = next; ++ } ++ if (code_lengths_size <= SORTED_SIZE_CUTOFF) { + // use local stack-allocated array. + uint16_t sorted[SORTED_SIZE_CUTOFF]; +- total_size = BuildHuffmanTable(root_table, root_bits, +- code_lengths, code_lengths_size, sorted); +- } else { // rare case. Use heap allocation. ++ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, ++ code_lengths, code_lengths_size, sorted); ++ } else { // rare case. Use heap allocation. + uint16_t* const sorted = + (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted)); + if (sorted == NULL) return 0; +- total_size = BuildHuffmanTable(root_table, root_bits, +- code_lengths, code_lengths_size, sorted); ++ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, ++ code_lengths, code_lengths_size, sorted); + WebPSafeFree(sorted); + } + return total_size; + } ++ ++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) { ++ // Have 'segment' point to the first segment for now, 'root'. ++ HuffmanTablesSegment* const root = &huffman_tables->root; ++ huffman_tables->curr_segment = root; ++ // Allocate root. ++ root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start)); ++ if (root->start == NULL) return 0; ++ root->curr_table = root->start; ++ root->next = NULL; ++ root->size = size; ++ return 1; ++} ++ ++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) { ++ HuffmanTablesSegment *current, *next; ++ if (huffman_tables == NULL) return; ++ // Free the root node. ++ current = &huffman_tables->root; ++ next = current->next; ++ WebPSafeFree(current->start); ++ current->start = NULL; ++ current->next = NULL; ++ current = next; ++ // Free the following nodes. ++ while (current != NULL) { ++ next = current->next; ++ WebPSafeFree(current->start); ++ WebPSafeFree(current); ++ current = next; ++ } ++} +diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h +index 13b7ad1a..98415c53 100644 +--- a/src/utils/huffman_utils.h ++++ b/src/utils/huffman_utils.h +@@ -43,6 +43,29 @@ typedef struct { + // or non-literal symbol otherwise + } HuffmanCode32; + ++// Contiguous memory segment of HuffmanCodes. ++typedef struct HuffmanTablesSegment { ++ HuffmanCode* start; ++ // Pointer to where we are writing into the segment. Starts at 'start' and ++ // cannot go beyond 'start' + 'size'. ++ HuffmanCode* curr_table; ++ // Pointer to the next segment in the chain. ++ struct HuffmanTablesSegment* next; ++ int size; ++} HuffmanTablesSegment; ++ ++// Chained memory segments of HuffmanCodes. ++typedef struct HuffmanTables { ++ HuffmanTablesSegment root; ++ // Currently processed segment. At first, this is 'root'. ++ HuffmanTablesSegment* curr_segment; ++} HuffmanTables; ++ ++// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on ++// memory allocation error, 1 otherwise. ++int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables); ++void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables); ++ + #define HUFFMAN_PACKED_BITS 6 + #define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS) + +@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups); + // the huffman table. + // Returns built table size or 0 in case of error (invalid tree or + // memory error). +-// If root_table is NULL, it returns 0 if a lookup cannot be built, something +-// > 0 otherwise (but not the table size). +-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits, ++int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, + const int code_lengths[], int code_lengths_size); + + #ifdef __cplusplus +-- +2.34.1 + diff --git a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb index f449ae750b..27c5d92c92 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.1.0.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.1.0.bb @@ -21,6 +21,7 @@ UPSTREAM_CHECK_URI = "http://downloads.webmproject.org/releases/webp/index.html" SRC_URI += " \ file://CVE-2023-1999.patch \ + file://CVE-2023-5129.patch \ " EXTRA_OECONF = " \ From patchwork Sat Sep 30 19:40:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31450 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3C72E82CA4 for ; Sat, 30 Sep 2023 19:40:34 +0000 (UTC) Received: from mail-oa1-f50.google.com (mail-oa1-f50.google.com [209.85.160.50]) by mx.groups.io with SMTP id smtpd.web11.47402.1696102825519357297 for ; Sat, 30 Sep 2023 12:40:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2HWuufoo; spf=softfail (domain: sakoman.com, ip: 209.85.160.50, mailfrom: steve@sakoman.com) Received: by mail-oa1-f50.google.com with SMTP id 586e51a60fabf-1dce01b6f2eso6863491fac.1 for ; Sat, 30 Sep 2023 12:40:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102824; x=1696707624; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vvMEAF15Hqs42BX+jrXfNapOkTLdwqXOHC3c9xjMu08=; b=2HWuufooaf9nwvmp8hKnF/Prb3bsPdvZNkL1Lbna63XcjDNEr0palUVjA5TcIwMO/l NyOuAsUPDiKjKy3knvVEY/ZdoSGleagF1f33MeXskJ/2pBJXUCgB7Xx/WN6nTvlQdLI0 DF6ACcBKeGPXe8CCFR/Lq2WQSfw7neOoa3byC9WIna2TrADstMqixTX5MNu9ARPDDgp8 3/Jl33AY8SAih8DXXvEysVBecQSXSIvhTPUVQocTV45n7KX9P9LSzr0OZiPOcCQLBeu8 08b8FTQAmPclcLCtt3gemct6vyYyiQb97vv8oHv/Dmi9pw+tRercbM4o+JLy9zSNyCBH IzpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102824; x=1696707624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vvMEAF15Hqs42BX+jrXfNapOkTLdwqXOHC3c9xjMu08=; b=JIna+KA9yovuqJe01Kr4yExKVI6N7U3lCgatqJ1vwbJFcv366WNyZpf8+rBSXkEjyb KpKVMJ3IMrpYThKD71N1PFhaIbRYOmm81jKIjQuQVzbdZrxaYH53Bf9ttEIsM1aHEIpe b+erTVh/Gmn7RUYgBT6sFlWwhL+cyKNbORkfqAJ8AfIG4LbDwibfDOdHTd1GQChKUfCM u75pZKvA4ACc4MpMtIktP8aavh3bXZCaLTgvSY2C6RW1slnbsOGus4dDl76rjI8gFuR3 JZfMLMC/necw4LnqIlFhHR8PpKt+F97BmTMsnDDfK8AdOw22o7zdaeZbke9CpE0kUF4Z QwlQ== X-Gm-Message-State: AOJu0Yyo79KKyiyaizi1EvUxvSVhxY0YeQIeH8CoOM5BJEd+04HybJ2i NYff+HXenQHDvwbkp24GNRdnIQ5pH+0gwJ9KrRQ= X-Google-Smtp-Source: AGHT+IEGfj/BeV8Q0f7GkYpS/MsRn50CNXxL9skZ+NkVBuBN9p89YGAQvSqriC+SzHU9LdNAkJIgdw== X-Received: by 2002:a05:6870:f6a7:b0:1d6:6941:d1d0 with SMTP id el39-20020a056870f6a700b001d66941d1d0mr8891597oab.49.1696102824160; Sat, 30 Sep 2023 12:40:24 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/13] libxpm: fix CVE-2022-46285 Date: Sat, 30 Sep 2023 09:40:00 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188468 From: Lee Chee Yang Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../xorg-lib/libxpm/CVE-2022-46285.patch | 40 +++++++++++++++++++ .../xorg-lib/libxpm_3.5.13.bb | 2 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch new file mode 100644 index 0000000000..e8b654dfb2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch @@ -0,0 +1,40 @@ +CVE: CVE-2022-46285 +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] +Signed-off-by: Lee Chee Yang + +From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb index fda8e32d2c..8937e61cb5 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb @@ -21,6 +21,8 @@ PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" +SRC_URI += " file://CVE-2022-46285.patch" + SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" From patchwork Sat Sep 30 19:40:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4323E82CDE for ; Sat, 30 Sep 2023 19:40:34 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web11.47404.1696102827034421404 for ; Sat, 30 Sep 2023 12:40:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sti0TCdl; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-690b7cb71aeso1307211b3a.0 for ; Sat, 30 Sep 2023 12:40:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102826; x=1696707626; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ctgLEJMbOrSAwiHt1OmQmqYRyn2JPy/Tgdrw1HczCT0=; b=sti0TCdlF8j9evdqINlgZIggVHn9AwiaVV8CgWQUSbEPPMUYMVDcqwTW17ss6XkHOD dcbQrxbg6SOHfOTfHoet/yIaq8amBZZY6b4Xp2IeViiAJcjVchj+9uj/T3j1Ypi0LVWK YWfvjc5suGJRvPA0owr9sQvcJEKdVn1QBvWExx6Xn++Y0EPJCa1Obpr4/Csq1MjgPFi5 A5neZ1WUlTSxEcceTBFkUhBjcYhQoJiXGRvsu9qheqDXUjnujx5vh7oaC/LxL+Sl2A+l 6KuKHBugXu4+iA/NXUTpN7ZD4tVrxZQbvoCOi2RZ7N7yF9+IbcCSERHyeVl+1vxFtU9Y 6yOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102826; x=1696707626; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ctgLEJMbOrSAwiHt1OmQmqYRyn2JPy/Tgdrw1HczCT0=; b=kdsjIKvrviXBxpoMFzPVQJ17CYUXT/CJdIesF+S3h9xfG6oLwuGuwgH4nnVyZVr+qq MmDoIovi+b3IDg7s8tOJ3QqMZaBJBgXmzgtreHXNsU6WUtPISnhWk/7iqTf2ZauIxJlI jgE2j7JxEtYOZ0uylzF43o/Z0mnWRm+YJ6hFdvkrNZGBeDF1nJGQhMD4Cl/csJNeM508 syv/0aLJ/NhRjzi84doIgCrGwsDTTT7e9j+bAeWhnjrjSDvxGyt3D+ipNPMfcDSh4MPT ljFIXeQWgQqm3OCQhR8HvjQnp5nCndZRn7KxCVDlnippz/WSZ514vEPzYDZUUm+1wwW1 UKYQ== X-Gm-Message-State: AOJu0Yyrhs70jStn6z1mIKBLl57IUcO4vETfN0r91RGFp36Hs7yrNnp6 mrgqCJFeBSMqn4cZlqhmaL70vLwE2nGVJojKjCU= X-Google-Smtp-Source: AGHT+IHVwjDyRvePk1ZkP+J1bpac+ioaMsgZGn5ujGtTi0WSp3v6VMB8YozQjl3DUQys6YPdXSGg1A== X-Received: by 2002:a05:6a20:7f96:b0:140:61f8:53f6 with SMTP id d22-20020a056a207f9600b0014061f853f6mr12855455pzj.29.1696102826057; Sat, 30 Sep 2023 12:40:26 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/13] nasm: fix CVE-2022-44370 Date: Sat, 30 Sep 2023 09:40:01 -1000 Message-Id: <91e716b75861f2a4acee58a0c3f95e511058f1dc.1696102675.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188469 From: Archana Polampalli NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856 References: https://nvd.nist.gov/vuln/detail/CVE-2022-44370 Upstream patches: https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d ( cherry picked from commit 1568df72136f46f0767bba56c10c48bf2a1ec259 ) Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../nasm/nasm/CVE-2022-44370.patch | 104 ++++++++++++++++++ meta/recipes-devtools/nasm/nasm_2.15.03.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch new file mode 100644 index 0000000000..1bd49c9fd9 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch @@ -0,0 +1,104 @@ +From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Mon, 7 Nov 2022 10:26:03 -0800 +Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault + +while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix, +introduce mempset() to make these kinds of errors less likely in the +future. + +Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815 +Reported-by: <13579and24680@gmail.com> +Signed-off-by: H. Peter Anvin + +Upstream-Status: Backport +CVE: CVE-2022-4437 + +Reference to upstream patch: +[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d] + +Signed-off-by: Archana Polampalli +--- + asm/nasm.c | 12 +++++------- + configure.ac | 1 + + include/compiler.h | 7 +++++++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 7a7f8b4..675cff4 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -1,6 +1,6 @@ + /* ----------------------------------------------------------------------- * + * +- * Copyright 1996-2020 The NASM Authors - All Rights Reserved ++ * Copyright 1996-2022 The NASM Authors - All Rights Reserved + * See the file AUTHORS included with the NASM distribution for + * the specific copyright holders. + * +@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str) + } + + /* Convert N backslashes at the end of filename to 2N backslashes */ +- if (nbs) +- n += nbs; ++ n += nbs; + + os = q = nasm_malloc(n); + +@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str) + switch (*p) { + case ' ': + case '\t': +- while (nbs--) +- *q++ = '\\'; ++ q = mempset(q, '\\', nbs); + *q++ = '\\'; + *q++ = *p; ++ nbs = 0; + break; + case '$': + *q++ = *p; +@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str) + break; + } + } +- while (nbs--) +- *q++ = '\\'; + ++ q = mempset(q, '\\', nbs); + *q = '\0'; + + return os; +diff --git a/configure.ac b/configure.ac +index 39680b1..940ebe2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul) + AC_CHECK_FUNCS(iscntrl) + AC_CHECK_FUNCS(isascii) + AC_CHECK_FUNCS(mempcpy) ++AC_CHECK_FUNCS(mempset) + + AC_CHECK_FUNCS(getuid) + AC_CHECK_FUNCS(getgid) +diff --git a/include/compiler.h b/include/compiler.h +index db3d6d6..b64da6a 100644 +--- a/include/compiler.h ++++ b/include/compiler.h +@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n) + } + #endif + ++#ifndef HAVE_MEMPSET ++static inline void *mempset(void *dst, int c, size_t n) ++{ ++ return (char *)memset(dst, c, n) + n; ++} ++#endif ++ + /* + * Hack to support external-linkage inline functions + */ +-- +2.40.0 diff --git a/meta/recipes-devtools/nasm/nasm_2.15.03.bb b/meta/recipes-devtools/nasm/nasm_2.15.03.bb index fc7046244a..6a8c57827d 100644 --- a/meta/recipes-devtools/nasm/nasm_2.15.03.bb +++ b/meta/recipes-devtools/nasm/nasm_2.15.03.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-stdlib-Add-strlcat.patch \ file://0002-Add-debug-prefix-map-option.patch \ + file://CVE-2022-44370.patch \ " SRC_URI[sha256sum] = "04e7343d9bf112bffa9fda86f6c7c8b120c2ccd700b882e2db9f57484b1bd778" From patchwork Sat Sep 30 19:40:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA549E748E0 for ; Sat, 30 Sep 2023 19:40:34 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.47632.1696102828850556909 for ; Sat, 30 Sep 2023 12:40:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GHiYAmsE; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-692779f583fso11427019b3a.0 for ; Sat, 30 Sep 2023 12:40:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102828; x=1696707628; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FKZMgCSy7gZq0kkgvx51piRCC0rswginlnQ89fmC8eU=; b=GHiYAmsEA0xvNz2Ppx+JazR2rl0S+vH60kDk60I689dvfXVLOK0Lp1XfqCGUWBFJ5x kro66LW2vnPHf85SREARP+U3YkOZf+pvowmKDui9ykGvW4HvqHhxsFXwCeT9XXl5z38k job0rVE02f3lXUlO19JUsBl5xhuMBOQJBGOHxgF6Tv7Ye6CVtvi6U9Y12DueKMUUsIsM FBnsP84+hA7Dem7v3GPcMwBKhKMKv5LgrWIC+7S2kp7odPkp3ou6YAs4h9PDfPbH/srk mpYrGdnbNawJxCUVwUEmscS2jDpYAqSNG9AoUnHnn0a4VjC0G3J2I9Uy1/9uTx6HnLCa VjQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102828; x=1696707628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FKZMgCSy7gZq0kkgvx51piRCC0rswginlnQ89fmC8eU=; b=RKWjuJVhgYEwobPzcZ1j0k6DkRQ3b6h+6aMmxkPoQMxzhJI8kLfheFAv/nmQd+XKKe rPIT3f9QIdpBS3CMwh2L1L5L5gcEOKQsb5+dLO2NbVwijxa1uc29SYEBAgoYc9OZHSuj /jaWpTLQx9BC4gXa9MBn677FDUehQdVV2lnNF5KkknacqZQQwwmRPW1BwblBc+KXKZ32 XkZaxibdKgXLm7AHcrWD3MSEDKjMPzgnTjIu/WsoXzHLgeqb47GUodjqOmVC8rSNxspO IaZeLAioblRhz/Lf+hJdsbi8akiHUp6rzj0qEPMUKYciizp3/QjPQU/aUeix/9mPtYqr 7vHg== X-Gm-Message-State: AOJu0Yx3vv5KpX8Nsne3xiUqiO1FB7nmzI6nCWaVo6NFVprC+AxllvaJ r4lu+yJUpdK/HprHODSxu8NftasiJFXo9JJnVJs= X-Google-Smtp-Source: AGHT+IGTQync4HxS8X5dp8M3ciijjxVEeWTLATwf/1YPSfINY3JyzubsXTMhGYfH+fkTPKmNtUhlpA== X-Received: by 2002:a05:6a00:2e10:b0:691:1eb:7dda with SMTP id fc16-20020a056a002e1000b0069101eb7ddamr8766047pfb.7.1696102827756; Sat, 30 Sep 2023 12:40:27 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:27 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/13] ghostscript: fix CVE-2023-36664 Date: Sat, 30 Sep 2023 09:40:02 -1000 Message-Id: <13534218ec37706d9decca5b5bd0453e312d72b0.1696102675.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188470 From: Vijay Anusuri Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream commits: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5 https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2023-36664-1.patch | 145 ++++++++++++++++++ .../ghostscript/CVE-2023-36664-2.patch | 60 ++++++++ .../ghostscript/CVE-2023-36664-pre1.patch | 62 ++++++++ .../ghostscript/ghostscript_9.52.bb | 3 + 4 files changed, 270 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch new file mode 100644 index 0000000000..a3bbe958eb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch @@ -0,0 +1,145 @@ +From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 7 Jun 2023 10:23:06 +0100 +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission validation + +For regular file names, we try to simplfy relative paths before we use them. + +Because the %pipe% device can, effectively, accept command line calls, we +shouldn't be simplifying that string, because the command line syntax can end +up confusing the path simplifying code. That can result in permitting a pipe +command which does not match what was originally permitted. + +Special case "%pipe" in the validation code so we always deal with the entire +string. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c] +CVE: CVE-2023-36664 +Signed-off-by: Vijay Anusuri +--- + base/gpmisc.c | 31 +++++++++++++++++++-------- + base/gslibctx.c | 56 ++++++++++++++++++++++++++++++++++++------------- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index c4fffae..09ac6b3 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem, + && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) { + prefix_len = 0; + } +- rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); +- if (bufferfull == NULL) +- return gs_error_VMerror; +- +- buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; + ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); ++ if (bufferfull == NULL) ++ return gs_error_VMerror; ++ ++ buffer = bufferfull + prefix_len; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + while (1) { + switch (mode[0]) + { +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 20c5eee..355c0e3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len + 1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_add_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) +@@ -802,14 +816,28 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const + return gs_error_rangecheck; + } + +- rlen = len+1; +- buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path"); +- if (buffer == NULL) +- return gs_error_VMerror; ++ /* "%pipe%" do not follow the normal rules for path definitions, so we ++ don't "reduce" them to avoid unexpected results ++ */ ++ if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ memcpy(buffer, path, len); ++ buffer[len] = 0; ++ rlen = len; ++ } ++ else { ++ rlen = len+1; + +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; +- buffer[rlen] = 0; ++ buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gs_remove_control_path_len"); ++ if (buffer == NULL) ++ return gs_error_VMerror; ++ ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) ++ return gs_error_invalidfileaccess; ++ buffer[rlen] = 0; ++ } + + n = control->num; + for (i = 0; i < n; i++) { +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch new file mode 100644 index 0000000000..e8c42f1deb --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch @@ -0,0 +1,60 @@ +From fb342fdb60391073a69147cb71af1ac416a81099 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 14 Jun 2023 09:08:12 +0100 +Subject: [PATCH] Bug 706778: 706761 revisit + +Two problems with the original commit. The first a silly typo inverting the +logic of a test. + +The second was forgetting that we actually actually validate two candidate +strings for pipe devices. One with the expected "%pipe%" prefix, the other +using the pipe character prefix: "|". + +This addresses both those. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099] +CVE: CVE-2023-36664 +Signed-off-by: Vijay Anusuri +--- + base/gpmisc.c | 2 +- + base/gslibctx.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 09ac6b3..01d449f 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1050,7 +1050,7 @@ gp_validate_path_len(const gs_memory_t *mem, + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path"); + if (buffer == NULL) + return gs_error_VMerror; +diff --git a/base/gslibctx.c b/base/gslibctx.c +index 355c0e3..d8f74a3 100644 +--- a/base/gslibctx.c ++++ b/base/gslibctx.c +@@ -722,7 +722,7 @@ gs_add_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const ch + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_add_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +@@ -819,7 +819,7 @@ gs_remove_control_path_len(const gs_memory_t *mem, gs_path_control_t type, const + /* "%pipe%" do not follow the normal rules for path definitions, so we + don't "reduce" them to avoid unexpected results + */ +- if (len > 5 && memcmp(path, "%pipe", 5) != 0) { ++ if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) { + buffer = (char *)gs_alloc_bytes(core->memory, len + 1, "gs_remove_control_path_len"); + if (buffer == NULL) + return gs_error_VMerror; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch new file mode 100644 index 0000000000..662736bb3d --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch @@ -0,0 +1,62 @@ +From 4ceaf92815302863a8c86fcfcf2347e0118dd3a5 Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Tue, 22 Sep 2020 13:10:04 -0700 +Subject: [PATCH] Fix gp_file allocations to use thread_safe_memory. + +The gpmisc.c does allocations for gp_file objects and buffers used by +gp_fprintf, as well as gp_validate_path_len. The helgrind run with +-dBGPrint -dNumRenderingThreads=4 and PCL input showed up the gp_fprintf +problem since the clist rendering would call gp_fprintf using the same +allocator (PCL's chunk allocator which is non_gc_memory). The chunk +allocator is intentionally not thread safe (for performance). + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5] +CVE: CVE-2023-36664 #Dependency Patch1 +Signed-off-by: Vijay Anusuri +--- + base/gpmisc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 34cd71f..c4fffae 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -435,7 +435,7 @@ generic_pwrite(gp_file *f, size_t count, gs_offset_t offset, const void *buf) + + gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t size, const char *cname) + { +- gp_file *file = (gp_file *)gs_alloc_bytes(mem->non_gc_memory, size, cname ? cname : "gp_file"); ++ gp_file *file = (gp_file *)gs_alloc_bytes(mem->thread_safe_memory, size, cname ? cname : "gp_file"); + if (file == NULL) + return NULL; + +@@ -449,7 +449,7 @@ gp_file *gp_file_alloc(gs_memory_t *mem, const gp_file_ops_t *prototype, size_t + memset(((char *)file)+sizeof(*prototype), + 0, + size - sizeof(*prototype)); +- file->memory = mem->non_gc_memory; ++ file->memory = mem->thread_safe_memory; + + return file; + } +@@ -1047,7 +1047,7 @@ gp_validate_path_len(const gs_memory_t *mem, + prefix_len = 0; + } + rlen = len+1; +- bufferfull = (char *)gs_alloc_bytes(mem->non_gc_memory, rlen + prefix_len, "gp_validate_path"); ++ bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) + return gs_error_VMerror; + +@@ -1093,7 +1093,7 @@ gp_validate_path_len(const gs_memory_t *mem, + break; + } + +- gs_free_object(mem->non_gc_memory, bufferfull, "gp_validate_path"); ++ gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) + errno = EACCES; +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 37e9ed8e84..0a2f9f5046 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -41,6 +41,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2021-3781_3.patch \ file://CVE-2023-28879.patch \ file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \ + file://CVE-2023-36664-pre1.patch \ + file://CVE-2023-36664-1.patch \ + file://CVE-2023-36664-2.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Sat Sep 30 19:40:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E87C0EED612 for ; Sat, 30 Sep 2023 19:40:34 +0000 (UTC) Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53]) by mx.groups.io with SMTP id smtpd.web10.47633.1696102830406153318 for ; Sat, 30 Sep 2023 12:40:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=SxGIziKJ; spf=softfail (domain: sakoman.com, ip: 209.85.160.53, mailfrom: steve@sakoman.com) Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-1dc6195bf93so8180432fac.1 for ; Sat, 30 Sep 2023 12:40:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102829; x=1696707629; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/++aj6IvMMHcs+meX0387HcMe3MnHIE5m+DpwoLOOXc=; b=SxGIziKJm+AB1Cnp/LMJFf6TnXCsniUuDnIaayVLmUXLsV+UKFUhCwNG70r3oEWwYl /T3+bmOVCL13I7Pt1EZ7PVrT9cAqRwXmwW7GITgXftoYAcp0B5j6/FWV0upmdQd/Sh4k zuTVrBLtA7DEAUroJC4BYdq/ug4W87xdC9oixWQDiW1dHeWataPK1vUekRB1yfUH+jaP +uC+aME9XxlkJ9VqVn1sfm20FqTzvzWXj0Ukbdmf6eQ4Ocy41O3A1RT3xlhyqSG4aYOF d9Jt5VYwVNGXfh73R2Wo6TU0uu27BWp9Mzj/df4I4bEBwOl5iv5Js3sdSAWo3MlMezze LW5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102829; x=1696707629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/++aj6IvMMHcs+meX0387HcMe3MnHIE5m+DpwoLOOXc=; b=dUE8/XzFkMgP235W1lKtsFIotxAGlRBit1mSPbKg5tqe8DwEr4l1ZgEpyzOydylcc4 wWc30RlLlinRTZDiSRikJuY9u4zjyEXwDDJFuw25zutmqNRL5JYwWH1dmrP2WAk6VqzZ Lu5/jZAZRUZiQqpph5D/5pHw3XAjYaub4t/vjg5Cr9vj6k06dtrBdXq1vgAzbF1D03W3 q97orRNz0qZ2Lx+OwvCfL6DSOPQMRqY2dFs35HS+3PljV2796GmXHthaVtOxVTcGV0kk L3yOf3R58pGcwiJHUyT+IFM+KFt0b9akcXBXIcDC1GhB26qkGFpGE1ThV0Tv5RmOeik8 jJzw== X-Gm-Message-State: AOJu0YwMBvgaFBxHiNnWybG3v9vjvAvrqr57O7QSbnscQ4CscEzqlIfD RHq8i5NSHi+rp9sdReN/r8gXqUscCRkp/nW0AEE= X-Google-Smtp-Source: AGHT+IFChAxR5yDAPvoluJDXXFMZ2QwqgBWzOHyQEeMgV0jT6H1qGa6BsbM3r2A57THuO+GcrsECfg== X-Received: by 2002:a05:6870:2306:b0:1dd:7f3a:b8c1 with SMTP id w6-20020a056870230600b001dd7f3ab8c1mr8818755oao.9.1696102829345; Sat, 30 Sep 2023 12:40:29 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/13] qemu: fix CVE-2020-24165 Date: Sat, 30 Sep 2023 09:40:03 -1000 Message-Id: <93efa56fb87217035275dcb04c4a19b79b95ccaf.1696102675.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188471 From: Lee Chee Yang Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2020-24165.patch | 94 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2669ba4ec8..e6b26aba88 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -141,6 +141,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2023-0330_2.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ + file://CVE-2020-24165.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch new file mode 100644 index 0000000000..e0a27331a8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-24165.patch @@ -0,0 +1,94 @@ +CVE: CVE-2020-24165 +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/886cc68943ebe8cf7e5f970be33459f95068a441 ] +Signed-off-by: Lee Chee Yang + +From 886cc68943ebe8cf7e5f970be33459f95068a441 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Benn=C3=A9e?= +Date: Fri, 14 Feb 2020 14:49:52 +0000 +Subject: [PATCH] accel/tcg: fix race in cpu_exec_step_atomic (bug 1863025) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The bug describes a race whereby cpu_exec_step_atomic can acquire a TB +which is invalidated by a tb_flush before we execute it. This doesn't +affect the other cpu_exec modes as a tb_flush by it's nature can only +occur on a quiescent system. The race was described as: + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc obtains a new TB + + C3. TB obtained with tb_lookup__cpu_state or tb_gen_code + (same TB as B2) + + A3. start_exclusive critical section entered + A4. do_tb_flush is called, TB memory freed/re-allocated + A5. end_exclusive exits critical section + + B2. tcg_cpu_exec => cpu_exec => tb_find => tb_gen_code + B3. tcg_tb_alloc reallocates TB from B2 + + C4. start_exclusive critical section entered + C5. cpu_tb_exec executes the TB code that was free in A4 + +The simplest fix is to widen the exclusive period to include the TB +lookup. As a result we can drop the complication of checking we are in +the exclusive region before we end it. + +Cc: Yifan +Buglink: https://bugs.launchpad.net/qemu/+bug/1863025 +Reviewed-by: Paolo Bonzini +Reviewed-by: Richard Henderson +Signed-off-by: Alex Bennée +Message-Id: <20200214144952.15502-1-alex.bennee@linaro.org> +Signed-off-by: Richard Henderson +--- + accel/tcg/cpu-exec.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c +index 2560c90eec79..d95c4848a47b 100644 +--- a/accel/tcg/cpu-exec.c ++++ b/accel/tcg/cpu-exec.c +@@ -240,6 +240,8 @@ void cpu_exec_step_atomic(CPUState *cpu) + uint32_t cf_mask = cflags & CF_HASH_MASK; + + if (sigsetjmp(cpu->jmp_env, 0) == 0) { ++ start_exclusive(); ++ + tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags, cf_mask); + if (tb == NULL) { + mmap_lock(); +@@ -247,8 +249,6 @@ void cpu_exec_step_atomic(CPUState *cpu) + mmap_unlock(); + } + +- start_exclusive(); +- + /* Since we got here, we know that parallel_cpus must be true. */ + parallel_cpus = false; + cc->cpu_exec_enter(cpu); +@@ -271,14 +271,15 @@ void cpu_exec_step_atomic(CPUState *cpu) + qemu_plugin_disable_mem_helpers(cpu); + } + +- if (cpu_in_exclusive_context(cpu)) { +- /* We might longjump out of either the codegen or the +- * execution, so must make sure we only end the exclusive +- * region if we started it. +- */ +- parallel_cpus = true; +- end_exclusive(); +- } ++ ++ /* ++ * As we start the exclusive region before codegen we must still ++ * be in the region if we longjump out of either the codegen or ++ * the execution. ++ */ ++ g_assert(cpu_in_exclusive_context(cpu)); ++ parallel_cpus = true; ++ end_exclusive(); + } + + struct tb_desc { From patchwork Sat Sep 30 19:40:04 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31454 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3A34E748E3 for ; Sat, 30 Sep 2023 19:40:34 +0000 (UTC) Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) by mx.groups.io with SMTP id smtpd.web11.47408.1696102832553721750 for ; Sat, 30 Sep 2023 12:40:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IzDZgxx9; spf=softfail (domain: sakoman.com, ip: 209.85.160.41, mailfrom: steve@sakoman.com) Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-1e113555a47so1610518fac.2 for ; Sat, 30 Sep 2023 12:40:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696102831; x=1696707631; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Dq3HLpYKXpFoH0afaMkpElxQEkRKzF0wcyY8etLlYY4=; b=IzDZgxx9R5f7mEsuD0S0LvFzzNBC0DgxxdjREuOew/URUcb/LfE10RQLMVFft0WhYd 0aOCFT4qGx9vGYMgKNBIV4nBlDd1lbSpRd6UX/It8w6rjebBfmYEPwwuoBwIiYQS+Fqe PunflYGkI9JWXE8lUtuam6LsiZFORHT14wuyEGanpwe71d2LxmppkPMEtQp+T16WUZWo 9obHBPdvS1xxM4bVPQZtyEMqKxRmDZt9SFv72EX7YLkCziwRHFB/nK85j8J6f2ycExzC 3S1JMXeA3nwXdNjk3y/Oi3+Z5eeDrI9q1d6VuzwLyiKfUi+4FNwqNko9dFtJ5UVgFVEM atiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696102831; x=1696707631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dq3HLpYKXpFoH0afaMkpElxQEkRKzF0wcyY8etLlYY4=; b=ROeb+TQqJZZSC7bHx1H1AdWhKlS/4eDgKLhtx20RQW0RnHdWwaU2K4wLy6ooclAKhI MoHIXjKaELox1Np9A9T6HEIBYTyGQ/Is+x7dFfBV/fjB5ncFH1DVreafbXxbOWtIrLHS ka4nVkW9/BawikjOebuqQGAtlr2OovNN0KmzAVKAZPFGRaBTrBdlaFOvh8H7u/go0HlF /VRJmVeR0v4KjXobXJab6oO/EZ2z4X46LT4ZFSC/Yze9wYwEm0UHhbSROxusoXM5B09y aFjtLpzh6HWcEQRAOaIi7amw+eE3CsU4syNcHau909nab5y6nyjMshW6qwhAx0PwlMvT 5SIw== X-Gm-Message-State: AOJu0YxIV5/5WhhIzLVVYXzwqc85grAx2NjXlFUODfpHrvXtv1oBS81F SOZmPwsSxG/d+mv6NDdnGPRMhqt4SosXPbP+6Ho= X-Google-Smtp-Source: AGHT+IH0Jd/iWGUZxS1P0qn1gG8Gmrh5s2HqlPXI7wIi3azD6aU7EvAfpKw+3Ib5HlWk/Heasvs6UQ== X-Received: by 2002:a05:6871:709:b0:1bb:4606:5be with SMTP id f9-20020a056871070900b001bb460605bemr8704682oap.9.1696102831250; Sat, 30 Sep 2023 12:40:31 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id p2-20020a62ab02000000b006936d053677sm2880011pff.133.2023.09.30.12.40.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 Sep 2023 12:40:30 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/13] go: Fix CVE-2023-39318 and CVE-2023-39319 Date: Sat, 30 Sep 2023 09:40:04 -1000 Message-Id: <8de380d765d8f47a961c6e45eba1cfa4d2feb68f.1696102675.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 30 Sep 2023 19:40:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188472 From: Siddharth Doshi Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 Upstream-Status: Backport from [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5] CVE: CVE-2023-39319 Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 2 + .../go/go-1.14/CVE-2023-39318.patch | 238 ++++++++++++++++++ .../go/go-1.14/CVE-2023-39319.patch | 230 +++++++++++++++++ 3 files changed, 470 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39319.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 784b502f46..be63f64825 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -77,6 +77,8 @@ SRC_URI += "\ file://CVE-2023-24536_1.patch \ file://CVE-2023-24536_2.patch \ file://CVE-2023-24536_3.patch \ + file://CVE-2023-39318.patch \ + file://CVE-2023-39319.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch new file mode 100644 index 0000000000..20e70c0485 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch @@ -0,0 +1,238 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-by: Damien Neil +Reviewed-by: Dmitri Shuralyov +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui +TryBot-Result: Gopher Robot + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 +- + src/html/template/escape_test.go | 10 ++++ + src/html/template/state_string.go | 4 +- + src/html/template/transition.go | 80 ++++++++++++++++++++----------- + 5 files changed, 72 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..4eb7891 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a