From patchwork Tue Oct 10 14:14:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31931 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7A46CD8C8E for ; Tue, 10 Oct 2023 14:14:49 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.92769.1696947276432586496 for ; Tue, 10 Oct 2023 07:14:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pBhp7j+M; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1c874b43123so48408945ad.2 for ; Tue, 10 Oct 2023 07:14:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947275; x=1697552075; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=3g4JJk11IO4GuzmgkvSmWjgGPDnVtGWJeN49FIEarQ8=; b=pBhp7j+MRaN03y1gRyWMaOE07gLy0OEpax0LQNKEZiAH4m13bJtCTdRv5U5ROHkIYZ 8WMgikHoHVCxti0jcfy0pdTcnoV6FsoUY+kFW/SFwim0o1BkeOrvusQqeOvZ1J2PQvVt 9vqDZlsKXvUPPbjmBxMm8/oMKyYHFoXh8otmLkorukF/QD6FXE4joW6EeLTgXXUXop1L 3WE0z6nTWdDqF/n/VQuIaS4h0vJejSKPIje0XAuom+yb5Rex0IPUnAKKGdex3NhN4c7Z E1IKu35MxoBG9mGTWKJ5EIMBn7XmNgFLf2Y7KXb8qMOV8sZB7MnmjmJMfEFFe+hxZOI5 jZzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947275; x=1697552075; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3g4JJk11IO4GuzmgkvSmWjgGPDnVtGWJeN49FIEarQ8=; b=MMranCoaC4LYrGLGl4MMpbE6Uhx/74ORaVKkTBUUZsj2RV8AMdUbyMfl2Y9ei8tePE 7+h1zmmDRU4pDhEeYE6dcwLmyb3rnzj67fV6Bg3MTkOArNAJPWxRNBz8Ml5rIQKSNGXo aljzqmr2tdoPsqiql1mBKpwcycIrjQg6KknpYxbsiSkjOEcqgPOc/oPq6ho6ojW6c+UC VH42vyG2oMacLKNv64ZQJdfh3kIYRl4JeyZQrPRzyfBkWcF9Kb97UByeCySWu2Hq+S44 ym9rHilh3duNf7e9mFkWSt7JQu1tP6qHRMElkKkf3W9uT8rdQaIMEDP4XXV7pUQP7Jj4 Z3nw== X-Gm-Message-State: AOJu0YzyPXcTYzzcAoTK8+MqC2o0wzIqWknIa1uG4jN7k0MIzf39fmRs o4QSvDTO0J05PlZEBBYUleznNdLYexfFbCICEh0= X-Google-Smtp-Source: AGHT+IGLdtyzk8y2Fm2weJHGlV9j/dGo6ksz/h8+ncSvTXUwPMwaRE5WrlaHmXhCwtigaj6KJJ09aQ== X-Received: by 2002:a17:903:11d2:b0:1c7:2697:ec0a with SMTP id q18-20020a17090311d200b001c72697ec0amr20239373plh.30.1696947275274; Tue, 10 Oct 2023 07:14:35 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/11] cups: Backport fix for CVE-2023-32360 and CVE-2023-4504 Date: Tue, 10 Oct 2023 04:14:18 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188900 From: Vijay Anusuri Upstream commits: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 & https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-extended/cups/cups.inc | 2 + .../cups/cups/CVE-2023-32360.patch | 31 ++++++++++++++ .../cups/cups/CVE-2023-4504.patch | 40 +++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 1d2377486a..6cfe314f20 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -16,6 +16,8 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t file://CVE-2022-26691.patch \ file://CVE-2023-32324.patch \ file://CVE-2023-34241.patch \ + file://CVE-2023-32360.patch \ + file://CVE-2023-4504.patch \ " UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch new file mode 100644 index 0000000000..4d39e1e57f --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch @@ -0,0 +1,31 @@ +From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet +Date: Tue, 6 Dec 2022 09:04:01 -0500 +Subject: [PATCH] Require authentication for CUPS-Get-Document. + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913] +CVE: CVE-2023-32360 +Signed-off-by: Vijay Anusuri +--- + conf/cupsd.conf.in | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in +index b258849078..a07536f3e4 100644 +--- a/conf/cupsd.conf.in ++++ b/conf/cupsd.conf.in +@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@ + Order deny,allow + + +- ++ ++ Require user @OWNER @SYSTEM ++ Order deny,allow ++ ++ ++ ++ AuthType Default + Require user @OWNER @SYSTEM + Order deny,allow + diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch new file mode 100644 index 0000000000..be0db1fbd4 --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch @@ -0,0 +1,40 @@ +From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Fri, 1 Sep 2023 16:47:29 +0200 +Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504 + +We didn't check for end of buffer if it looks there is an escaped +character - check for NULL terminator there and if found, return NULL +as return value and in `ptr`, because a lone backslash is not +a valid PostScript character. + +Upstream-Status: Backport [https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31] +CVE: CVE-2023-4504 +Signed-off-by: Vijay Anusuri +--- + cups/raster-interpret.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/cups/raster-interpret.c ++++ b/cups/raster-interpret.c +@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st, /* I - S + + cur ++; + +- if (*cur == 'b') ++ /* ++ * Return NULL if we reached NULL terminator, a lone backslash ++ * is not a valid character in PostScript. ++ */ ++ ++ if (!*cur) ++ { ++ *ptr = NULL; ++ ++ return (NULL); ++ } ++ ++ if (*cur == 'b') + *valptr++ = '\b'; + else if (*cur == 'f') + *valptr++ = '\f'; From patchwork Tue Oct 10 14:14:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31930 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD2D0CD8C85 for ; Tue, 10 Oct 2023 14:14:49 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.92770.1696947278031480599 for ; Tue, 10 Oct 2023 07:14:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=m7YJboZX; spf=temperror, err=temporary DNS error (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1c9bf22fe05so3233975ad.2 for ; Tue, 10 Oct 2023 07:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947277; x=1697552077; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=E+Z4VvcHxErnoY9Pipjc6geVt1kSElvknTGACFS+fhY=; b=m7YJboZXFJYntrTpZ7Y6WeSwVZHQMLxg7nLgP8SXeqg+Yo5QXcvmvk+LnsX9ChnbLk jtirja0RLg4UrBeFWhWUbBaeps+/LjsE/pF9oRT6GABZq4PHF7+8THcV6hNs0tR5d3ra Ew/OCM6PShFmhu+ETyD8HgTuMBS6vpaFJK3sG3wZic2JlqM/mCDQp+Ux/iSyI03bCfbe TyvjYJJkcVxZGrDl/Ee4Q154QyEjKkBgesTeQN55MRGSrYVndlp7Q2xHTLJM+rbOawkV v+rYKN3hq3WGPk7HBjBMwbGTSMGOhHJ76AgsvpvFxM2eG9cbu2aQJuyzYG8gntZU+QCe +hCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947277; x=1697552077; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E+Z4VvcHxErnoY9Pipjc6geVt1kSElvknTGACFS+fhY=; b=QJ/y4kGD2z5dbuTHKgUhTb+HBkvBLkccT1GRsmFL+Jhsoja+vZmYQkrS+3STm9Is+P /rYWeT85IqT53S73QpxNzWwANOnQo8DKRW8G7rMgMSE/YJAKUF7PfeMcNuFE6HutahA0 +82GvB3coaMndipZOdS58x4TSRsWHgXXqNhSXed7qoJH0pRooI3G5y2vtIVyxXnkphtl L+gms2MYhoKPrXeKuR+uK7jHsfumwsc7SPfEDq2rzn49isoNDqJW736cN9a1m6CjIqPw NmPpnXfgv1GzxHE/v4XrsZK9YLAc/G5flc7Zk/3ayI/8KLOh9dpZ0ZwMBl/irBoc5zSI hosQ== X-Gm-Message-State: AOJu0YyPHUlbYQzUSdUGoVl5ipsA2o96XTGMoOfTirC8DmEG+kvTBebP NTu/N87qbc8ldu7HL7NNXA40Sio+O6pzPCYf0j8= X-Google-Smtp-Source: AGHT+IEm0ySXH1jvtZvGnZPsvBwXdpcP9ee14bCUg4AX1A3o25iTO76e63Sc8wYOFcIWYVP+Pqpqkw== X-Received: by 2002:a17:902:e881:b0:1c4:4c10:6ae3 with SMTP id w1-20020a170902e88100b001c44c106ae3mr21230158plg.23.1696947276973; Tue, 10 Oct 2023 07:14:36 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/11] gawk: backport Debian patch to fix CVE-2023-4156 Date: Tue, 10 Oct 2023 04:14:19 -1000 Message-Id: <68412b76948ce185d87fda73ead7b73e5ad6defd.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188899 From: Vijay Anusuri Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../gawk/gawk/CVE-2023-4156.patch | 28 +++++++++++++++++++ meta/recipes-extended/gawk/gawk_5.0.1.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch new file mode 100644 index 0000000000..c6cba058a7 --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch @@ -0,0 +1,28 @@ +From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 +From: "Arnold D. Robbins" +Date: Wed, 3 Aug 2022 13:00:54 +0300 +Subject: [PATCH] Smal bug fix in builtin.c. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security +Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] +CVE: CVE-2023-4156 +Signed-off-by: Vijay Anusuri +--- + ChangeLog | 6 ++++++ + builtin.c | 5 ++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- gawk-5.1.0.orig/builtin.c ++++ gawk-5.1.0/builtin.c +@@ -957,7 +957,10 @@ check_pos: + s1++; + n0--; + } +- if (val >= num_args) { ++ // val could be less than zero if someone provides a field width ++ // so large that it causes integer overflow. Mainly fuzzers do this, ++ // but let's try to be good anyway. ++ if (val < 0 || val >= num_args) { + toofew = true; + break; + } diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb b/meta/recipes-extended/gawk/gawk_5.0.1.bb index 1b29ec3113..c71890c19e 100644 --- a/meta/recipes-extended/gawk/gawk_5.0.1.bb +++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb @@ -18,6 +18,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ file://remove-sensitive-tests.patch \ file://run-ptest \ + file://CVE-2023-4156.patch \ " SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb" From patchwork Tue Oct 10 14:14:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31939 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 217A4CD8C8F for ; Tue, 10 Oct 2023 14:14:50 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web10.92772.1696947281997775619 for ; Tue, 10 Oct 2023 07:14:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3GbPgej8; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1c7373cff01so49476025ad.1 for ; Tue, 10 Oct 2023 07:14:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947281; x=1697552081; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ae4ZrMsgqNWR5rYYpGiGL68KiwyiyLcAQ/bW7g8nFoA=; b=3GbPgej8LfVxxXJ7d6CBN4o494ZaE2XpuVTlzUAdC3c5yp5yKwwITZ38f6kVbuN9GQ 5SHOSwWJQyUIhZI2ZnHwWI6DKR4PniBid0P+/1pk/sPcl6rQWO9aDL/28oGeLJXMSGW6 Sy+ztpDDZrXcP9lVgTPeh5ck0r3dfi/2tbHgLrRErqpAB9E1OqoshB0qmHBp0yPQ6sQ5 wQ6iOSMZa1ZI6lxI4XTJ4RpdWrawwaNsU8OMysMO90tdix8zlLm57A5TMnyl49rdOoxV HsP5xIzE2SI5asDa6MfsJxjhOWeSM46fNyNh5GauvQyZGhyAyTBLdtaFsyp9M4iUqaKh VfKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947281; x=1697552081; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ae4ZrMsgqNWR5rYYpGiGL68KiwyiyLcAQ/bW7g8nFoA=; b=fvaacllFb6tF4/KZrDaraDzZVpHv3By4xw3eGIjIwrUTEp3sznj1HhX1bw7RLHnA2+ r0ECU3x+tc11nvHhmN987SzZEwRXxWZZRmDqcafrGqmiG7WYvHItQ088TzfB6mv1Z930 R+lGhakCc4KX7DpBU/sv+vvS1y1MBaibTgNf15SQvFTRaHn5WCKW1KXPdbO3+MBlOe8b D6NcSCyiww+2ld+UGaddstb2y9yjJRSztzJ4zpuQzZI+mH9MHKti86aUeASzU4SG53BA rnw9DzC3GGEZE4P45zzO1Kc5Ecqh0DGoF/JFOQbV6QJYWM/CiAuTbhRjfzralKN7uo0l HoTQ== X-Gm-Message-State: AOJu0Yyausj4nOPH4kURqdg3e2m+ObHzkBuq7yWtdUEtGnjzSOa76Vq0 N0IdxzLGsji9AnxI9z9wUbQZltX9Gktm1hubs2w= X-Google-Smtp-Source: AGHT+IFIYGzfR+7U7e6q7T+tf4LLp27KliVD9A18r4qOK7oDJFqG9No6QUFrWEK3Ws4BL6+66oEWEg== X-Received: by 2002:a17:902:e884:b0:1c7:36ff:1feb with SMTP id w4-20020a170902e88400b001c736ff1febmr23220675plg.17.1696947278962; Tue, 10 Oct 2023 07:14:38 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/11] go: Update fix for CVE-2023-24538 & CVE-2023-39318 Date: Tue, 10 Oct 2023 04:14:20 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188902 From: Shubham Kulkarni Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 Upstream Link - CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c Signed-off-by: Shubham Kulkarni Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 5 +- .../go/go-1.14/CVE-2023-24538-1.patch | 4 +- .../go/go-1.14/CVE-2023-24538-2.patch | 447 ++++++++++++- .../go/go-1.14/CVE-2023-24538_3.patch | 393 ++++++++++++ .../go/go-1.14/CVE-2023-24538_4.patch | 497 +++++++++++++++ .../go/go-1.14/CVE-2023-24538_5.patch | 585 ++++++++++++++++++ ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++- .../go/go-1.14/CVE-2023-39318.patch | 38 +- 8 files changed, 2124 insertions(+), 20 deletions(-) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index be63f64825..091b778de8 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -60,7 +60,10 @@ SRC_URI += "\ file://CVE-2023-24534.patch \ file://CVE-2023-24538-1.patch \ file://CVE-2023-24538-2.patch \ - file://CVE-2023-24538-3.patch \ + file://CVE-2023-24538_3.patch \ + file://CVE-2023-24538_4.patch \ + file://CVE-2023-24538_5.patch \ + file://CVE-2023-24538_6.patch \ file://CVE-2023-24539.patch \ file://CVE-2023-24540.patch \ file://CVE-2023-29405-1.patch \ diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch index eda26e5ff6..23c5075e41 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch @@ -1,7 +1,7 @@ From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Mon, 2 Aug 2021 14:55:51 -0700 -Subject: [PATCH 1/3] net/netip: add new IP address package +Subject: [PATCH 1/6] net/netip: add new IP address package Co-authored-by: Alex Willmer (GitHub @moreati) Co-authored-by: Alexander Yastrebov @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick Dependency Patch #1 -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0 CVE: CVE-2023-24538 Signed-off-by: Shubham Kulkarni --- diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch index 5036f2890b..f200c41e16 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch @@ -1,7 +1,7 @@ From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 From: empijei Date: Fri, 27 Mar 2020 19:27:55 +0100 -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes for JSON compatibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072 CVE: CVE-2023-24538 Signed-off-by: Shubham Kulkarni --- - src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- - src/text/template/funcs.go | 8 +++--- - 2 files changed, 46 insertions(+), 32 deletions(-) + src/html/template/content_test.go | 70 +++++++++++++++++++------------------- + src/html/template/escape_test.go | 6 ++-- + src/html/template/example_test.go | 6 ++-- + src/html/template/js.go | 70 +++++++++++++++++++++++--------------- + src/html/template/js_test.go | 68 ++++++++++++++++++------------------ + src/html/template/template_test.go | 39 +++++++++++++++++++++ + src/text/template/exec_test.go | 6 ++-- + src/text/template/funcs.go | 8 ++--- + 8 files changed, 163 insertions(+), 110 deletions(-) +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go +index 72d56f5..bd86527 100644 +--- a/src/html/template/content_test.go ++++ b/src/html/template/content_test.go +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) { + HTML(`Hello, World &tc!`), + HTMLAttr(` dir="ltr"`), + JS(`c && alert("Hello, World!");`), +- JSStr(`Hello, World & O'Reilly\x21`), ++ JSStr(`Hello, World & O'Reilly\u0021`), + URL(`greeting=H%69,&addressee=(World)`), + Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`), + URL(`,foo/,`), +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) { + `Hello, <b>World</b> &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) { + // Not escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) { + // Not JS escaped but HTML escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) { + { + ``, + []string{ +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, +- `a[href =~ \x22\/\/example.com\x22]#foo`, +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, +- ` dir=\x22ltr\x22`, +- `c \x26\x26 alert(\x22Hello, World!\x22);`, ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, ++ ` dir=\u0022ltr\u0022`, ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, + // Escape sequence not over-escaped. +- `Hello, World \x26 O\x27Reilly\x21`, +- `greeting=H%69,\x26addressee=(World)`, +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, ++ `Hello, World \u0026 O\u0027Reilly\u0021`, ++ `greeting=H%69,\u0026addressee=(World)`, ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, + `,foo\/,`, + }, + }, + { + ``, + []string{ +- `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`, +- `a[href =~ \x22\/\/example.com\x22]#foo`, +- `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`, +- ` dir=\x22ltr\x22`, +- `c \x26\x26 alert(\x22Hello, World!\x22);`, ++ `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`, ++ `a[href =~ \u0022\/\/example.com\u0022]#foo`, ++ `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`, ++ ` dir=\u0022ltr\u0022`, ++ `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`, + // Escape sequence not over-escaped. +- `Hello, World \x26 O\x27Reilly\x21`, +- `greeting=H%69,\x26addressee=(World)`, +- `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, ++ `Hello, World \u0026 O\u0027Reilly\u0021`, ++ `greeting=H%69,\u0026addressee=(World)`, ++ `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`, + `,foo\/,`, + }, + }, +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) { + // Not escaped. + `c && alert("Hello, World!");`, + // Escape sequence not over-escaped. +- `"Hello, World & O'Reilly\x21"`, ++ `"Hello, World & O'Reilly\u0021"`, + `"greeting=H%69,\u0026addressee=(World)"`, + `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`, + `",foo/,"`, +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) { + `Hello, World &tc!`, + ` dir="ltr"`, + `c && alert("Hello, World!");`, +- `Hello, World & O'Reilly\x21`, ++ `Hello, World & O'Reilly\u0021`, + `greeting=H%69,&addressee=(World)`, + `greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`, + `,foo/,`, +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) { + { + ``, + "helper": `{{11}} of {{"<100>"}}`, + }, +- ``, ++ ``, + }, + // A non-recursive template that ends in a different context. + // helper starts in jsCtxRegexp and ends in jsCtxDivOp. +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go +index 9d965f1..6cf936f 100644 +--- a/src/html/template/example_test.go ++++ b/src/html/template/example_test.go +@@ -116,9 +116,9 @@ func Example_escape() { + // "Fran & Freddie's Diner" <tasty@example.com> + // "Fran & Freddie's Diner" <tasty@example.com> + // "Fran & Freddie's Diner"32<tasty@example.com> +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E +- // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E +- // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E ++ // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E ++ // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E + // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E + + } diff --git a/src/html/template/js.go b/src/html/template/js.go index 0e91458..ea9c183 100644 --- a/src/html/template/js.go @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644 '?': `\?`, '[': `\[`, '\\': `\\`, +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index 075adaa..d7ee47b 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) { + {"foo", `"foo"`}, + // Newlines. + {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, +- // "\v" == "v" on IE 6 so use "\x0b" instead. ++ // "\v" == "v" on IE 6 so use "\u000b" instead. + {"\t\x0b", `"\t\u000b"`}, + {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, + {[]interface{}{}, "[]"}, +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) { + }{ + {"", ``}, + {"foo", `foo`}, +- {"\u0000", `\0`}, ++ {"\u0000", `\u0000`}, + {"\t", `\t`}, + {"\n", `\n`}, + {"\r", `\r`}, +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) { + {"\\n", `\\n`}, + {"foo\r\nbar", `foo\r\nbar`}, + // Preserve attribute boundaries. +- {`"`, `\x22`}, +- {`'`, `\x27`}, ++ {`"`, `\u0022`}, ++ {`'`, `\u0027`}, + // Allow embedding in HTML without further escaping. +- {`&`, `\x26amp;`}, ++ {`&`, `\u0026amp;`}, + // Prevent breaking out of text node and element boundaries. +- {"", `\x3c\/script\x3e`}, +- {"", `]]\x3e`}, ++ {"", `\u003c\/script\u003e`}, ++ {"", `]]\u003e`}, + // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span + // "The text in style, script, title, and textarea elements + // must not have an escaping text span start that is not +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) { + // allow regular text content to be interpreted as script + // allowing script execution via a combination of a JS string + // injection followed by an HTML text injection. +- {"", `--\x3e`}, ++ {"", `--\u003e`}, + // From https://code.google.com/p/doctype/wiki/ArticleUtf7 + {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-", +- `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`, ++ `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`, + }, + // Invalid UTF-8 sequence + {"foo\xA0bar", "foo\xA0bar"}, +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) { + }{ + {"", `(?:)`}, + {"foo", `foo`}, +- {"\u0000", `\0`}, ++ {"\u0000", `\u0000`}, + {"\t", `\t`}, + {"\n", `\n`}, + {"\r", `\r`}, +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) { + {"\\n", `\\n`}, + {"foo\r\nbar", `foo\r\nbar`}, + // Preserve attribute boundaries. +- {`"`, `\x22`}, +- {`'`, `\x27`}, ++ {`"`, `\u0022`}, ++ {`'`, `\u0027`}, + // Allow embedding in HTML without further escaping. +- {`&`, `\x26amp;`}, ++ {`&`, `\u0026amp;`}, + // Prevent breaking out of text node and element boundaries. +- {"", `\x3c\/script\x3e`}, +- {"", `\]\]\x3e`}, ++ {"", `\u003c\/script\u003e`}, ++ {"", `\]\]\u003e`}, + // Escaping text spans. +- {"", `\-\-\x3e`}, ++ {"", `\-\-\u003e`}, + {"*", `\*`}, +- {"+", `\x2b`}, ++ {"+", `\u002b`}, + {"?", `\?`}, + {"[](){}", `\[\]\(\)\{\}`}, + {"$foo|x.y", `\$foo\|x\.y`}, +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { + { + "jsStrEscaper", + jsStrEscaper, +- "\\0\x01\x02\x03\x04\x05\x06\x07" + +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + +- "\x10\x11\x12\x13\x14\x15\x16\x17" + +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + +- ` !\x22#$%\x26\x27()*\x2b,-.\/` + +- `0123456789:;\x3c=\x3e?` + ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + ++ ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` + ++ `0123456789:;\u003c=\u003e?` + + `@ABCDEFGHIJKLMNO` + + `PQRSTUVWXYZ[\\]^_` + + "`abcdefghijklmno" + +- "pqrstuvwxyz{|}~\x7f" + ++ "pqrstuvwxyz{|}~\u007f" + + "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", + }, + { + "jsRegexpEscaper", + jsRegexpEscaper, +- "\\0\x01\x02\x03\x04\x05\x06\x07" + +- "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" + +- "\x10\x11\x12\x13\x14\x15\x16\x17" + +- "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" + +- ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` + +- `0123456789:;\x3c=\x3e\?` + ++ `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` + ++ `\u0008\t\n\u000b\f\r\u000e\u000f` + ++ `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` + ++ `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` + ++ ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` + ++ `0123456789:;\u003c=\u003e\?` + + `@ABCDEFGHIJKLMNO` + + `PQRSTUVWXYZ\[\\\]\^_` + + "`abcdefghijklmno" + +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go +index 13e6ba4..86bd4db 100644 +--- a/src/html/template/template_test.go ++++ b/src/html/template/template_test.go +@@ -6,6 +6,7 @@ package template_test + + import ( + "bytes" ++ "encoding/json" + . "html/template" + "strings" + "testing" +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) { + c.mustExecute(c.root, nil, "12.34 7.5") + } + ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) { ++ // See #33671 and #37634 for more context on this. ++ tests := []struct{ name, in string }{ ++ {"empty", ""}, ++ {"invalid", string(rune(-1))}, ++ {"null", "\u0000"}, ++ {"unit separator", "\u001F"}, ++ {"tab", "\t"}, ++ {"gt and lt", "<>"}, ++ {"quotes", `'"`}, ++ {"ASCII letters", "ASCII letters"}, ++ {"Unicode", "ʕ⊙ϖ⊙ʔ"}, ++ {"Pizza", "P"}, ++ } ++ const ( ++ prefix = `` ++ templ = prefix + `"{{.}}"` + suffix ++ ) ++ tpl := Must(New("JS string is JSON string").Parse(templ)) ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ var buf bytes.Buffer ++ if err := tpl.Execute(&buf, tt.in); err != nil { ++ t.Fatalf("Cannot render template: %v", err) ++ } ++ trimmed := bytes.TrimSuffix(bytes.TrimPrefix(buf.Bytes(), []byte(prefix)), []byte(suffix)) ++ var got string ++ if err := json.Unmarshal(trimmed, &got); err != nil { ++ t.Fatalf("Cannot parse JS string %q as JSON: %v", trimmed[1:len(trimmed)-1], err) ++ } ++ if got != tt.in { ++ t.Errorf("Serialization changed the string value: got %q want %q", got, tt.in) ++ } ++ }) ++ } ++} ++ + type testCase struct { + t *testing.T + root *Template +diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go +index 77294ed..b8a809e 100644 +--- a/src/text/template/exec_test.go ++++ b/src/text/template/exec_test.go +@@ -911,9 +911,9 @@ func TestJSEscaping(t *testing.T) { + {`Go "jump" \`, `Go \"jump\" \\`}, + {`Yukihiro says "今日は世界"`, `Yukihiro says \"今日は世界\"`}, + {"unprintable \uFDFF", `unprintable \uFDFF`}, +- {``, `\x3Chtml\x3E`}, +- {`no = in attributes`, `no \x3D in attributes`}, +- {`' does not become HTML entity`, `\x26#x27; does not become HTML entity`}, ++ {``, `\u003Chtml\u003E`}, ++ {`no = in attributes`, `no \u003D in attributes`}, ++ {`' does not become HTML entity`, `\u0026#x27; does not become HTML entity`}, + } + for _, tc := range testCases { + s := JSEscapeString(tc.in) diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go index 46125bc..f3de9fb 100644 --- a/src/text/template/funcs.go diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch new file mode 100644 index 0000000000..cd7dd0957c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch @@ -0,0 +1,393 @@ +From 7ddce23c7d5b728acf8482f5006497c7b9915f8a Mon Sep 17 00:00:00 2001 +From: Ariel Mashraki +Date: Wed, 22 Apr 2020 22:17:56 +0300 +Subject: [PATCH 3/6] text/template: add CommentNode to template parse tree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes #34652 + +Change-Id: Icf6e3eda593fed826736f34f95a9d66f5450cc98 +Reviewed-on: https://go-review.googlesource.com/c/go/+/229398 +Reviewed-by: Daniel Martí +Run-TryBot: Daniel Martí +TryBot-Result: Gobot Gobot + +Dependency Patch #3 + +Upstream-Status: Backport from https://github.com/golang/go/commit/c8ea03828b0645b1fd5725888e44873b75fcfbb6 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni +--- + api/next.txt | 19 +++++++++++++++++++ + src/html/template/escape.go | 2 ++ + src/html/template/template_test.go | 16 ++++++++++++++++ + src/text/template/exec.go | 1 + + src/text/template/parse/lex.go | 8 +++++++- + src/text/template/parse/lex_test.go | 7 +++++-- + src/text/template/parse/node.go | 33 +++++++++++++++++++++++++++++++++ + src/text/template/parse/parse.go | 22 +++++++++++++++++++--- + src/text/template/parse/parse_test.go | 25 +++++++++++++++++++++++++ + 9 files changed, 127 insertions(+), 6 deletions(-) + +diff --git a/api/next.txt b/api/next.txt +index e69de29..076f39e 100644 +--- a/api/next.txt ++++ b/api/next.txt +@@ -0,0 +1,19 @@ ++pkg unicode, const Version = "13.0.0" ++pkg unicode, var Chorasmian *RangeTable ++pkg unicode, var Dives_Akuru *RangeTable ++pkg unicode, var Khitan_Small_Script *RangeTable ++pkg unicode, var Yezidi *RangeTable ++pkg text/template/parse, const NodeComment = 20 ++pkg text/template/parse, const NodeComment NodeType ++pkg text/template/parse, const ParseComments = 1 ++pkg text/template/parse, const ParseComments Mode ++pkg text/template/parse, method (*CommentNode) Copy() Node ++pkg text/template/parse, method (*CommentNode) String() string ++pkg text/template/parse, method (CommentNode) Position() Pos ++pkg text/template/parse, method (CommentNode) Type() NodeType ++pkg text/template/parse, type CommentNode struct ++pkg text/template/parse, type CommentNode struct, Text string ++pkg text/template/parse, type CommentNode struct, embedded NodeType ++pkg text/template/parse, type CommentNode struct, embedded Pos ++pkg text/template/parse, type Mode uint ++pkg text/template/parse, type Tree struct, Mode Mode +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index f12dafa..8739735 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -124,6 +124,8 @@ func (e *escaper) escape(c context, n parse.Node) context { + switch n := n.(type) { + case *parse.ActionNode: + return e.escapeAction(c, n) ++ case *parse.CommentNode: ++ return c + case *parse.IfNode: + return e.escapeBranch(c, &n.BranchNode, "if") + case *parse.ListNode: +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go +index 86bd4db..1f2c888 100644 +--- a/src/html/template/template_test.go ++++ b/src/html/template/template_test.go +@@ -10,6 +10,7 @@ import ( + . "html/template" + "strings" + "testing" ++ "text/template/parse" + ) + + func TestTemplateClone(t *testing.T) { +@@ -160,6 +161,21 @@ func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) { + } + } + ++func TestSkipEscapeComments(t *testing.T) { ++ c := newTestCase(t) ++ tr := parse.New("root") ++ tr.Mode = parse.ParseComments ++ newT, err := tr.Parse("{{/* A comment */}}{{ 1 }}{{/* Another comment */}}", "", "", make(map[string]*parse.Tree)) ++ if err != nil { ++ t.Fatalf("Cannot parse template text: %v", err) ++ } ++ c.root, err = c.root.AddParseTree("root", newT) ++ if err != nil { ++ t.Fatalf("Cannot add parse tree to template: %v", err) ++ } ++ c.mustExecute(c.root, nil, "1") ++} ++ + type testCase struct { + t *testing.T + root *Template +diff --git a/src/text/template/exec.go b/src/text/template/exec.go +index ac3e741..7ac5175 100644 +--- a/src/text/template/exec.go ++++ b/src/text/template/exec.go +@@ -256,6 +256,7 @@ func (s *state) walk(dot reflect.Value, node parse.Node) { + if len(node.Pipe.Decl) == 0 { + s.printValue(node, val) + } ++ case *parse.CommentNode: + case *parse.IfNode: + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList) + case *parse.ListNode: +diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go +index 30371f2..e41373a 100644 +--- a/src/text/template/parse/lex.go ++++ b/src/text/template/parse/lex.go +@@ -41,6 +41,7 @@ const ( + itemBool // boolean constant + itemChar // printable ASCII character; grab bag for comma etc. + itemCharConstant // character constant ++ itemComment // comment text + itemComplex // complex constant (1+2i); imaginary is just a number + itemAssign // equals ('=') introducing an assignment + itemDeclare // colon-equals (':=') introducing a declaration +@@ -112,6 +113,7 @@ type lexer struct { + leftDelim string // start of action + rightDelim string // end of action + trimRightDelim string // end of action with trim marker ++ emitComment bool // emit itemComment tokens. + pos Pos // current position in the input + start Pos // start position of this item + width Pos // width of last rune read from input +@@ -203,7 +205,7 @@ func (l *lexer) drain() { + } + + // lex creates a new scanner for the input string. +-func lex(name, input, left, right string) *lexer { ++func lex(name, input, left, right string, emitComment bool) *lexer { + if left == "" { + left = leftDelim + } +@@ -216,6 +218,7 @@ func lex(name, input, left, right string) *lexer { + leftDelim: left, + rightDelim: right, + trimRightDelim: rightTrimMarker + right, ++ emitComment: emitComment, + items: make(chan item), + line: 1, + startLine: 1, +@@ -323,6 +326,9 @@ func lexComment(l *lexer) stateFn { + if !delim { + return l.errorf("comment ends before closing delimiter") + } ++ if l.emitComment { ++ l.emit(itemComment) ++ } + if trimSpace { + l.pos += trimMarkerLen + } +diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go +index 563c4fc..f6d5f28 100644 +--- a/src/text/template/parse/lex_test.go ++++ b/src/text/template/parse/lex_test.go +@@ -15,6 +15,7 @@ var itemName = map[itemType]string{ + itemBool: "bool", + itemChar: "char", + itemCharConstant: "charconst", ++ itemComment: "comment", + itemComplex: "complex", + itemDeclare: ":=", + itemEOF: "EOF", +@@ -90,6 +91,7 @@ var lexTests = []lexTest{ + {"text", `now is the time`, []item{mkItem(itemText, "now is the time"), tEOF}}, + {"text with comment", "hello-{{/* this is a comment */}}-world", []item{ + mkItem(itemText, "hello-"), ++ mkItem(itemComment, "/* this is a comment */"), + mkItem(itemText, "-world"), + tEOF, + }}, +@@ -311,6 +313,7 @@ var lexTests = []lexTest{ + }}, + {"trimming spaces before and after comment", "hello- {{- /* hello */ -}} -world", []item{ + mkItem(itemText, "hello-"), ++ mkItem(itemComment, "/* hello */"), + mkItem(itemText, "-world"), + tEOF, + }}, +@@ -389,7 +392,7 @@ var lexTests = []lexTest{ + + // collect gathers the emitted items into a slice. + func collect(t *lexTest, left, right string) (items []item) { +- l := lex(t.name, t.input, left, right) ++ l := lex(t.name, t.input, left, right, true) + for { + item := l.nextItem() + items = append(items, item) +@@ -529,7 +532,7 @@ func TestPos(t *testing.T) { + func TestShutdown(t *testing.T) { + // We need to duplicate template.Parse here to hold on to the lexer. + const text = "erroneous{{define}}{{else}}1234" +- lexer := lex("foo", text, "{{", "}}") ++ lexer := lex("foo", text, "{{", "}}", false) + _, err := New("root").parseLexer(lexer) + if err == nil { + t.Fatalf("expected error") +diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go +index 1c116ea..a9dad5e 100644 +--- a/src/text/template/parse/node.go ++++ b/src/text/template/parse/node.go +@@ -70,6 +70,7 @@ const ( + NodeTemplate // A template invocation action. + NodeVariable // A $ variable. + NodeWith // A with action. ++ NodeComment // A comment. + ) + + // Nodes. +@@ -149,6 +150,38 @@ func (t *TextNode) Copy() Node { + return &TextNode{tr: t.tr, NodeType: NodeText, Pos: t.Pos, Text: append([]byte{}, t.Text...)} + } + ++// CommentNode holds a comment. ++type CommentNode struct { ++ NodeType ++ Pos ++ tr *Tree ++ Text string // Comment text. ++} ++ ++func (t *Tree) newComment(pos Pos, text string) *CommentNode { ++ return &CommentNode{tr: t, NodeType: NodeComment, Pos: pos, Text: text} ++} ++ ++func (c *CommentNode) String() string { ++ var sb strings.Builder ++ c.writeTo(&sb) ++ return sb.String() ++} ++ ++func (c *CommentNode) writeTo(sb *strings.Builder) { ++ sb.WriteString("{{") ++ sb.WriteString(c.Text) ++ sb.WriteString("}}") ++} ++ ++func (c *CommentNode) tree() *Tree { ++ return c.tr ++} ++ ++func (c *CommentNode) Copy() Node { ++ return &CommentNode{tr: c.tr, NodeType: NodeComment, Pos: c.Pos, Text: c.Text} ++} ++ + // PipeNode holds a pipeline with optional declaration + type PipeNode struct { + NodeType +diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go +index c9b80f4..496d8bf 100644 +--- a/src/text/template/parse/parse.go ++++ b/src/text/template/parse/parse.go +@@ -21,6 +21,7 @@ type Tree struct { + Name string // name of the template represented by the tree. + ParseName string // name of the top-level template during parsing, for error messages. + Root *ListNode // top-level root of the tree. ++ Mode Mode // parsing mode. + text string // text parsed to create the template (or its parent) + // Parsing only; cleared after parse. + funcs []map[string]interface{} +@@ -29,8 +30,16 @@ type Tree struct { + peekCount int + vars []string // variables defined at the moment. + treeSet map[string]*Tree ++ mode Mode + } + ++// A mode value is a set of flags (or 0). Modes control parser behavior. ++type Mode uint ++ ++const ( ++ ParseComments Mode = 1 << iota // parse comments and add them to AST ++) ++ + // Copy returns a copy of the Tree. Any parsing state is discarded. + func (t *Tree) Copy() *Tree { + if t == nil { +@@ -220,7 +229,8 @@ func (t *Tree) stopParse() { + func (t *Tree) Parse(text, leftDelim, rightDelim string, treeSet map[string]*Tree, funcs ...map[string]interface{}) (tree *Tree, err error) { + defer t.recover(&err) + t.ParseName = t.Name +- t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim), treeSet) ++ emitComment := t.Mode&ParseComments != 0 ++ t.startParse(funcs, lex(t.Name, text, leftDelim, rightDelim, emitComment), treeSet) + t.text = text + t.parse() + t.add() +@@ -240,12 +250,14 @@ func (t *Tree) add() { + } + } + +-// IsEmptyTree reports whether this tree (node) is empty of everything but space. ++// IsEmptyTree reports whether this tree (node) is empty of everything but space or comments. + func IsEmptyTree(n Node) bool { + switch n := n.(type) { + case nil: + return true + case *ActionNode: ++ case *CommentNode: ++ return true + case *IfNode: + case *ListNode: + for _, node := range n.Nodes { +@@ -276,6 +288,7 @@ func (t *Tree) parse() { + if t.nextNonSpace().typ == itemDefine { + newT := New("definition") // name will be updated once we know it. + newT.text = t.text ++ newT.Mode = t.Mode + newT.ParseName = t.ParseName + newT.startParse(t.funcs, t.lex, t.treeSet) + newT.parseDefinition() +@@ -331,13 +344,15 @@ func (t *Tree) itemList() (list *ListNode, next Node) { + } + + // textOrAction: +-// text | action ++// text | comment | action + func (t *Tree) textOrAction() Node { + switch token := t.nextNonSpace(); token.typ { + case itemText: + return t.newText(token.pos, token.val) + case itemLeftDelim: + return t.action() ++ case itemComment: ++ return t.newComment(token.pos, token.val) + default: + t.unexpected(token, "input") + } +@@ -539,6 +554,7 @@ func (t *Tree) blockControl() Node { + + block := New(name) // name will be updated once we know it. + block.text = t.text ++ block.Mode = t.Mode + block.ParseName = t.ParseName + block.startParse(t.funcs, t.lex, t.treeSet) + var end Node +diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go +index 4e09a78..d9c13c5 100644 +--- a/src/text/template/parse/parse_test.go ++++ b/src/text/template/parse/parse_test.go +@@ -348,6 +348,30 @@ func TestParseCopy(t *testing.T) { + testParse(true, t) + } + ++func TestParseWithComments(t *testing.T) { ++ textFormat = "%q" ++ defer func() { textFormat = "%s" }() ++ tests := [...]parseTest{ ++ {"comment", "{{/*\n\n\n*/}}", noError, "{{/*\n\n\n*/}}"}, ++ {"comment trim left", "x \r\n\t{{- /* hi */}}", noError, `"x"{{/* hi */}}`}, ++ {"comment trim right", "{{/* hi */ -}}\n\n\ty", noError, `{{/* hi */}}"y"`}, ++ {"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x"{{/* */}}"y"`}, ++ } ++ for _, test := range tests { ++ t.Run(test.name, func(t *testing.T) { ++ tr := New(test.name) ++ tr.Mode = ParseComments ++ tmpl, err := tr.Parse(test.input, "", "", make(map[string]*Tree)) ++ if err != nil { ++ t.Errorf("%q: expected error; got none", test.name) ++ } ++ if result := tmpl.Root.String(); result != test.result { ++ t.Errorf("%s=(%q): got\n\t%v\nexpected\n\t%v", test.name, test.input, result, test.result) ++ } ++ }) ++ } ++} ++ + type isEmptyTest struct { + name string + input string +@@ -358,6 +382,7 @@ var isEmptyTests = []isEmptyTest{ + {"empty", ``, true}, + {"nonempty", `hello`, false}, + {"spaces only", " \t\n \t\n", true}, ++ {"comment only", "{{/* comment */}}", true}, + {"definition", `{{define "x"}}something{{end}}`, true}, + {"definitions and space", "{{define `x`}}something{{end}}\n\n{{define `y`}}something{{end}}\n\n", true}, + {"definitions and text", "{{define `x`}}something{{end}}\nx\n{{define `y`}}something{{end}}\ny\n", false}, +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch new file mode 100644 index 0000000000..d5e2eb6684 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch @@ -0,0 +1,497 @@ +From 760d88497091fb5d6d231a18e6f4e06ecb9af9b2 Mon Sep 17 00:00:00 2001 +From: Russ Cox +Date: Thu, 10 Sep 2020 18:53:26 -0400 +Subject: [PATCH 4/6] text/template: allow newlines inside action delimiters + +This allows multiline constructs like: + + {{"hello" | + printf}} + +Now that unclosed actions can span multiple lines, +track and report the start of the action when reporting errors. + +Also clean up a few "unexpected " to be just "". + +Fixes #29770. + +Change-Id: I54c6c016029a8328b7902a4b6d85eab713ec3285 +Reviewed-on: https://go-review.googlesource.com/c/go/+/254257 +Trust: Russ Cox +Run-TryBot: Russ Cox +TryBot-Result: Go Bot +Reviewed-by: Rob Pike + +Dependency Patch #4 + +Upstream-Status: Backport from https://github.com/golang/go/commit/9384d34c58099657bb1b133beaf3ff37ada9b017 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni +--- + src/text/template/doc.go | 21 ++++----- + src/text/template/exec_test.go | 2 +- + src/text/template/parse/lex.go | 84 +++++++++++++++++------------------ + src/text/template/parse/lex_test.go | 2 +- + src/text/template/parse/parse.go | 59 +++++++++++++----------- + src/text/template/parse/parse_test.go | 36 ++++++++++++--- + 6 files changed, 117 insertions(+), 87 deletions(-) + +diff --git a/src/text/template/doc.go b/src/text/template/doc.go +index 4b0efd2..7b30294 100644 +--- a/src/text/template/doc.go ++++ b/src/text/template/doc.go +@@ -40,16 +40,17 @@ More intricate examples appear below. + Text and spaces + + By default, all text between actions is copied verbatim when the template is +-executed. For example, the string " items are made of " in the example above appears +-on standard output when the program is run. +- +-However, to aid in formatting template source code, if an action's left delimiter +-(by default "{{") is followed immediately by a minus sign and ASCII space character +-("{{- "), all trailing white space is trimmed from the immediately preceding text. +-Similarly, if the right delimiter ("}}") is preceded by a space and minus sign +-(" -}}"), all leading white space is trimmed from the immediately following text. +-In these trim markers, the ASCII space must be present; "{{-3}}" parses as an +-action containing the number -3. ++executed. For example, the string " items are made of " in the example above ++appears on standard output when the program is run. ++ ++However, to aid in formatting template source code, if an action's left ++delimiter (by default "{{") is followed immediately by a minus sign and white ++space, all trailing white space is trimmed from the immediately preceding text. ++Similarly, if the right delimiter ("}}") is preceded by white space and a minus ++sign, all leading white space is trimmed from the immediately following text. ++In these trim markers, the white space must be present: ++"{{- 3}}" is like "{{3}}" but trims the immediately preceding text, while ++"{{-3}}" parses as an action containing the number -3. + + For instance, when executing the template whose source is + +diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go +index b8a809e..3309b33 100644 +--- a/src/text/template/exec_test.go ++++ b/src/text/template/exec_test.go +@@ -1295,7 +1295,7 @@ func TestUnterminatedStringError(t *testing.T) { + t.Fatal("expected error") + } + str := err.Error() +- if !strings.Contains(str, "X:3: unexpected unterminated raw quoted string") { ++ if !strings.Contains(str, "X:3: unterminated raw quoted string") { + t.Fatalf("unexpected error: %s", str) + } + } +diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go +index e41373a..6784071 100644 +--- a/src/text/template/parse/lex.go ++++ b/src/text/template/parse/lex.go +@@ -92,15 +92,14 @@ const eof = -1 + // If the action begins "{{- " rather than "{{", then all space/tab/newlines + // preceding the action are trimmed; conversely if it ends " -}}" the + // leading spaces are trimmed. This is done entirely in the lexer; the +-// parser never sees it happen. We require an ASCII space to be +-// present to avoid ambiguity with things like "{{-3}}". It reads ++// parser never sees it happen. We require an ASCII space (' ', \t, \r, \n) ++// to be present to avoid ambiguity with things like "{{-3}}". It reads + // better with the space present anyway. For simplicity, only ASCII +-// space does the job. ++// does the job. + const ( +- spaceChars = " \t\r\n" // These are the space characters defined by Go itself. +- leftTrimMarker = "- " // Attached to left delimiter, trims trailing spaces from preceding text. +- rightTrimMarker = " -" // Attached to right delimiter, trims leading spaces from following text. +- trimMarkerLen = Pos(len(leftTrimMarker)) ++ spaceChars = " \t\r\n" // These are the space characters defined by Go itself. ++ trimMarker = '-' // Attached to left/right delimiter, trims trailing spaces from preceding/following text. ++ trimMarkerLen = Pos(1 + 1) // marker plus space before or after + ) + + // stateFn represents the state of the scanner as a function that returns the next state. +@@ -108,19 +107,18 @@ type stateFn func(*lexer) stateFn + + // lexer holds the state of the scanner. + type lexer struct { +- name string // the name of the input; used only for error reports +- input string // the string being scanned +- leftDelim string // start of action +- rightDelim string // end of action +- trimRightDelim string // end of action with trim marker +- emitComment bool // emit itemComment tokens. +- pos Pos // current position in the input +- start Pos // start position of this item +- width Pos // width of last rune read from input +- items chan item // channel of scanned items +- parenDepth int // nesting depth of ( ) exprs +- line int // 1+number of newlines seen +- startLine int // start line of this item ++ name string // the name of the input; used only for error reports ++ input string // the string being scanned ++ leftDelim string // start of action ++ rightDelim string // end of action ++ emitComment bool // emit itemComment tokens. ++ pos Pos // current position in the input ++ start Pos // start position of this item ++ width Pos // width of last rune read from input ++ items chan item // channel of scanned items ++ parenDepth int // nesting depth of ( ) exprs ++ line int // 1+number of newlines seen ++ startLine int // start line of this item + } + + // next returns the next rune in the input. +@@ -213,15 +211,14 @@ func lex(name, input, left, right string, emitComment bool) *lexer { + right = rightDelim + } + l := &lexer{ +- name: name, +- input: input, +- leftDelim: left, +- rightDelim: right, +- trimRightDelim: rightTrimMarker + right, +- emitComment: emitComment, +- items: make(chan item), +- line: 1, +- startLine: 1, ++ name: name, ++ input: input, ++ leftDelim: left, ++ rightDelim: right, ++ emitComment: emitComment, ++ items: make(chan item), ++ line: 1, ++ startLine: 1, + } + go l.run() + return l +@@ -251,7 +248,7 @@ func lexText(l *lexer) stateFn { + ldn := Pos(len(l.leftDelim)) + l.pos += Pos(x) + trimLength := Pos(0) +- if strings.HasPrefix(l.input[l.pos+ldn:], leftTrimMarker) { ++ if hasLeftTrimMarker(l.input[l.pos+ldn:]) { + trimLength = rightTrimLength(l.input[l.start:l.pos]) + } + l.pos -= trimLength +@@ -280,7 +277,7 @@ func rightTrimLength(s string) Pos { + + // atRightDelim reports whether the lexer is at a right delimiter, possibly preceded by a trim marker. + func (l *lexer) atRightDelim() (delim, trimSpaces bool) { +- if strings.HasPrefix(l.input[l.pos:], l.trimRightDelim) { // With trim marker. ++ if hasRightTrimMarker(l.input[l.pos:]) && strings.HasPrefix(l.input[l.pos+trimMarkerLen:], l.rightDelim) { // With trim marker. + return true, true + } + if strings.HasPrefix(l.input[l.pos:], l.rightDelim) { // Without trim marker. +@@ -297,7 +294,7 @@ func leftTrimLength(s string) Pos { + // lexLeftDelim scans the left delimiter, which is known to be present, possibly with a trim marker. + func lexLeftDelim(l *lexer) stateFn { + l.pos += Pos(len(l.leftDelim)) +- trimSpace := strings.HasPrefix(l.input[l.pos:], leftTrimMarker) ++ trimSpace := hasLeftTrimMarker(l.input[l.pos:]) + afterMarker := Pos(0) + if trimSpace { + afterMarker = trimMarkerLen +@@ -342,7 +339,7 @@ func lexComment(l *lexer) stateFn { + + // lexRightDelim scans the right delimiter, which is known to be present, possibly with a trim marker. + func lexRightDelim(l *lexer) stateFn { +- trimSpace := strings.HasPrefix(l.input[l.pos:], rightTrimMarker) ++ trimSpace := hasRightTrimMarker(l.input[l.pos:]) + if trimSpace { + l.pos += trimMarkerLen + l.ignore() +@@ -369,7 +366,7 @@ func lexInsideAction(l *lexer) stateFn { + return l.errorf("unclosed left paren") + } + switch r := l.next(); { +- case r == eof || isEndOfLine(r): ++ case r == eof: + return l.errorf("unclosed action") + case isSpace(r): + l.backup() // Put space back in case we have " -}}". +@@ -439,7 +436,7 @@ func lexSpace(l *lexer) stateFn { + } + // Be careful about a trim-marked closing delimiter, which has a minus + // after a space. We know there is a space, so check for the '-' that might follow. +- if strings.HasPrefix(l.input[l.pos-1:], l.trimRightDelim) { ++ if hasRightTrimMarker(l.input[l.pos-1:]) && strings.HasPrefix(l.input[l.pos-1+trimMarkerLen:], l.rightDelim) { + l.backup() // Before the space. + if numSpaces == 1 { + return lexRightDelim // On the delim, so go right to that. +@@ -526,7 +523,7 @@ func lexFieldOrVariable(l *lexer, typ itemType) stateFn { + // day to implement arithmetic. + func (l *lexer) atTerminator() bool { + r := l.peek() +- if isSpace(r) || isEndOfLine(r) { ++ if isSpace(r) { + return true + } + switch r { +@@ -657,15 +654,18 @@ Loop: + + // isSpace reports whether r is a space character. + func isSpace(r rune) bool { +- return r == ' ' || r == '\t' +-} +- +-// isEndOfLine reports whether r is an end-of-line character. +-func isEndOfLine(r rune) bool { +- return r == '\r' || r == '\n' ++ return r == ' ' || r == '\t' || r == '\r' || r == '\n' + } + + // isAlphaNumeric reports whether r is an alphabetic, digit, or underscore. + func isAlphaNumeric(r rune) bool { + return r == '_' || unicode.IsLetter(r) || unicode.IsDigit(r) + } ++ ++func hasLeftTrimMarker(s string) bool { ++ return len(s) >= 2 && s[0] == trimMarker && isSpace(rune(s[1])) ++} ++ ++func hasRightTrimMarker(s string) bool { ++ return len(s) >= 2 && isSpace(rune(s[0])) && s[1] == trimMarker ++} +diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go +index f6d5f28..6510eed 100644 +--- a/src/text/template/parse/lex_test.go ++++ b/src/text/template/parse/lex_test.go +@@ -323,7 +323,7 @@ var lexTests = []lexTest{ + tLeft, + mkItem(itemError, "unrecognized character in action: U+0001"), + }}, +- {"unclosed action", "{{\n}}", []item{ ++ {"unclosed action", "{{", []item{ + tLeft, + mkItem(itemError, "unclosed action"), + }}, +diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go +index 496d8bf..5e6e512 100644 +--- a/src/text/template/parse/parse.go ++++ b/src/text/template/parse/parse.go +@@ -24,13 +24,14 @@ type Tree struct { + Mode Mode // parsing mode. + text string // text parsed to create the template (or its parent) + // Parsing only; cleared after parse. +- funcs []map[string]interface{} +- lex *lexer +- token [3]item // three-token lookahead for parser. +- peekCount int +- vars []string // variables defined at the moment. +- treeSet map[string]*Tree +- mode Mode ++ funcs []map[string]interface{} ++ lex *lexer ++ token [3]item // three-token lookahead for parser. ++ peekCount int ++ vars []string // variables defined at the moment. ++ treeSet map[string]*Tree ++ actionLine int // line of left delim starting action ++ mode Mode + } + + // A mode value is a set of flags (or 0). Modes control parser behavior. +@@ -187,6 +188,16 @@ func (t *Tree) expectOneOf(expected1, expected2 itemType, context string) item { + + // unexpected complains about the token and terminates processing. + func (t *Tree) unexpected(token item, context string) { ++ if token.typ == itemError { ++ extra := "" ++ if t.actionLine != 0 && t.actionLine != token.line { ++ extra = fmt.Sprintf(" in action started at %s:%d", t.ParseName, t.actionLine) ++ if strings.HasSuffix(token.val, " action") { ++ extra = extra[len(" in action"):] // avoid "action in action" ++ } ++ } ++ t.errorf("%s%s", token, extra) ++ } + t.errorf("unexpected %s in %s", token, context) + } + +@@ -350,6 +361,8 @@ func (t *Tree) textOrAction() Node { + case itemText: + return t.newText(token.pos, token.val) + case itemLeftDelim: ++ t.actionLine = token.line ++ defer t.clearActionLine() + return t.action() + case itemComment: + return t.newComment(token.pos, token.val) +@@ -359,6 +372,10 @@ func (t *Tree) textOrAction() Node { + return nil + } + ++func (t *Tree) clearActionLine() { ++ t.actionLine = 0 ++} ++ + // Action: + // control + // command ("|" command)* +@@ -384,12 +401,12 @@ func (t *Tree) action() (n Node) { + t.backup() + token := t.peek() + // Do not pop variables; they persist until "end". +- return t.newAction(token.pos, token.line, t.pipeline("command")) ++ return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim)) + } + + // Pipeline: + // declarations? command ('|' command)* +-func (t *Tree) pipeline(context string) (pipe *PipeNode) { ++func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) { + token := t.peekNonSpace() + pipe = t.newPipeline(token.pos, token.line, nil) + // Are there declarations or assignments? +@@ -430,12 +447,9 @@ decls: + } + for { + switch token := t.nextNonSpace(); token.typ { +- case itemRightDelim, itemRightParen: ++ case end: + // At this point, the pipeline is complete + t.checkPipeline(pipe, context) +- if token.typ == itemRightParen { +- t.backup() +- } + return + case itemBool, itemCharConstant, itemComplex, itemDot, itemField, itemIdentifier, + itemNumber, itemNil, itemRawString, itemString, itemVariable, itemLeftParen: +@@ -464,7 +478,7 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) { + + func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) { + defer t.popVars(len(t.vars)) +- pipe = t.pipeline(context) ++ pipe = t.pipeline(context, itemRightDelim) + var next Node + list, next = t.itemList() + switch next.Type() { +@@ -550,7 +564,7 @@ func (t *Tree) blockControl() Node { + + token := t.nextNonSpace() + name := t.parseTemplateName(token, context) +- pipe := t.pipeline(context) ++ pipe := t.pipeline(context, itemRightDelim) + + block := New(name) // name will be updated once we know it. + block.text = t.text +@@ -580,7 +594,7 @@ func (t *Tree) templateControl() Node { + if t.nextNonSpace().typ != itemRightDelim { + t.backup() + // Do not pop variables; they persist until "end". +- pipe = t.pipeline(context) ++ pipe = t.pipeline(context, itemRightDelim) + } + return t.newTemplate(token.pos, token.line, name, pipe) + } +@@ -614,13 +628,12 @@ func (t *Tree) command() *CommandNode { + switch token := t.next(); token.typ { + case itemSpace: + continue +- case itemError: +- t.errorf("%s", token.val) + case itemRightDelim, itemRightParen: + t.backup() + case itemPipe: ++ // nothing here; break loop below + default: +- t.errorf("unexpected %s in operand", token) ++ t.unexpected(token, "operand") + } + break + } +@@ -675,8 +688,6 @@ func (t *Tree) operand() Node { + // A nil return means the next item is not a term. + func (t *Tree) term() Node { + switch token := t.nextNonSpace(); token.typ { +- case itemError: +- t.errorf("%s", token.val) + case itemIdentifier: + if !t.hasFunction(token.val) { + t.errorf("function %q not defined", token.val) +@@ -699,11 +710,7 @@ func (t *Tree) term() Node { + } + return number + case itemLeftParen: +- pipe := t.pipeline("parenthesized pipeline") +- if token := t.next(); token.typ != itemRightParen { +- t.errorf("unclosed right paren: unexpected %s", token) +- } +- return pipe ++ return t.pipeline("parenthesized pipeline", itemRightParen) + case itemString, itemRawString: + s, err := strconv.Unquote(token.val) + if err != nil { +diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go +index d9c13c5..220f984 100644 +--- a/src/text/template/parse/parse_test.go ++++ b/src/text/template/parse/parse_test.go +@@ -250,6 +250,13 @@ var parseTests = []parseTest{ + {"comment trim left and right", "x \r\n\t{{- /* */ -}}\n\n\ty", noError, `"x""y"`}, + {"block definition", `{{block "foo" .}}hello{{end}}`, noError, + `{{template "foo" .}}`}, ++ ++ {"newline in assignment", "{{ $x \n := \n 1 \n }}", noError, "{{$x := 1}}"}, ++ {"newline in empty action", "{{\n}}", hasError, "{{\n}}"}, ++ {"newline in pipeline", "{{\n\"x\"\n|\nprintf\n}}", noError, `{{"x" | printf}}`}, ++ {"newline in comment", "{{/*\nhello\n*/}}", noError, ""}, ++ {"newline in comment", "{{-\n/*\nhello\n*/\n-}}", noError, ""}, ++ + // Errors. + {"unclosed action", "hello{{range", hasError, ""}, + {"unmatched end", "{{end}}", hasError, ""}, +@@ -426,23 +433,38 @@ var errorTests = []parseTest{ + // Check line numbers are accurate. + {"unclosed1", + "line1\n{{", +- hasError, `unclosed1:2: unexpected unclosed action in command`}, ++ hasError, `unclosed1:2: unclosed action`}, + {"unclosed2", + "line1\n{{define `x`}}line2\n{{", +- hasError, `unclosed2:3: unexpected unclosed action in command`}, ++ hasError, `unclosed2:3: unclosed action`}, ++ {"unclosed3", ++ "line1\n{{\"x\"\n\"y\"\n", ++ hasError, `unclosed3:4: unclosed action started at unclosed3:2`}, ++ {"unclosed4", ++ "{{\n\n\n\n\n", ++ hasError, `unclosed4:6: unclosed action started at unclosed4:1`}, ++ {"var1", ++ "line1\n{{\nx\n}}", ++ hasError, `var1:3: function "x" not defined`}, + // Specific errors. + {"function", + "{{foo}}", + hasError, `function "foo" not defined`}, +- {"comment", ++ {"comment1", + "{{/*}}", +- hasError, `unclosed comment`}, ++ hasError, `comment1:1: unclosed comment`}, ++ {"comment2", ++ "{{/*\nhello\n}}", ++ hasError, `comment2:1: unclosed comment`}, + {"lparen", + "{{.X (1 2 3}}", + hasError, `unclosed left paren`}, + {"rparen", +- "{{.X 1 2 3)}}", +- hasError, `unexpected ")"`}, ++ "{{.X 1 2 3 ) }}", ++ hasError, `unexpected ")" in command`}, ++ {"rparen2", ++ "{{(.X 1 2 3", ++ hasError, `unclosed action`}, + {"space", + "{{`x`3}}", + hasError, `in operand`}, +@@ -488,7 +510,7 @@ var errorTests = []parseTest{ + hasError, `missing value for parenthesized pipeline`}, + {"multilinerawstring", + "{{ $v := `\n` }} {{", +- hasError, `multilinerawstring:2: unexpected unclosed action`}, ++ hasError, `multilinerawstring:2: unclosed action`}, + {"rangeundefvar", + "{{range $k}}{{end}}", + hasError, `undefined variable`}, +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch new file mode 100644 index 0000000000..fc38929648 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch @@ -0,0 +1,585 @@ +From e0e6bca6ddc0e6d9fa3a5b644af9b446924fbf83 Mon Sep 17 00:00:00 2001 +From: Russ Cox +Date: Thu, 20 May 2021 12:46:33 -0400 +Subject: [PATCH 5/6] html/template, text/template: implement break and + continue for range loops + +Break and continue for range loops was accepted as a proposal in June 2017. +It was implemented in CL 66410 (Oct 2017) +but then rolled back in CL 92155 (Feb 2018) +because html/template changes had not been implemented. + +This CL reimplements break and continue in text/template +and then adds support for them in html/template as well. + +Fixes #20531. + +Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616 +Reviewed-on: https://go-review.googlesource.com/c/go/+/321491 +Trust: Russ Cox +Run-TryBot: Russ Cox +TryBot-Result: Go Bot +Reviewed-by: Rob Pike + +Dependency Patch #5 + +Upstream-Status: Backport from https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni +--- + src/html/template/context.go | 4 ++ + src/html/template/escape.go | 71 ++++++++++++++++++++++++++++++++++- + src/html/template/escape_test.go | 24 ++++++++++++ + src/text/template/doc.go | 8 ++++ + src/text/template/exec.go | 24 +++++++++++- + src/text/template/exec_test.go | 2 + + src/text/template/parse/lex.go | 13 ++++++- + src/text/template/parse/lex_test.go | 2 + + src/text/template/parse/node.go | 36 ++++++++++++++++++ + src/text/template/parse/parse.go | 42 ++++++++++++++++++++- + src/text/template/parse/parse_test.go | 8 ++++ + 11 files changed, 230 insertions(+), 4 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..aaa7d08 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -6,6 +6,7 @@ package template + + import ( + "fmt" ++ "text/template/parse" + ) + + // context describes the state an HTML parser must be in when it reaches the +@@ -22,6 +23,7 @@ type context struct { + jsCtx jsCtx + attr attr + element element ++ n parse.Node // for range break/continue + err *Error + } + +@@ -141,6 +143,8 @@ const ( + // stateError is an infectious error state outside any valid + // HTML/CSS/JS construct. + stateError ++ // stateDead marks unreachable code after a {{break}} or {{continue}}. ++ stateDead + ) + + // isComment is true for any state that contains content meant for template +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 8739735..6dea79c 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -97,6 +97,15 @@ type escaper struct { + actionNodeEdits map[*parse.ActionNode][]string + templateNodeEdits map[*parse.TemplateNode]string + textNodeEdits map[*parse.TextNode][]byte ++ // rangeContext holds context about the current range loop. ++ rangeContext *rangeContext ++} ++ ++// rangeContext holds information about the current range loop. ++type rangeContext struct { ++ outer *rangeContext // outer loop ++ breaks []context // context at each break action ++ continues []context // context at each continue action + } + + // makeEscaper creates a blank escaper for the given set. +@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper { + map[*parse.ActionNode][]string{}, + map[*parse.TemplateNode]string{}, + map[*parse.TextNode][]byte{}, ++ nil, + } + } + +@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context { + switch n := n.(type) { + case *parse.ActionNode: + return e.escapeAction(c, n) ++ case *parse.BreakNode: ++ c.n = n ++ e.rangeContext.breaks = append(e.rangeContext.breaks, c) ++ return context{state: stateDead} + case *parse.CommentNode: + return c ++ case *parse.ContinueNode: ++ c.n = n ++ e.rangeContext.continues = append(e.rangeContext.breaks, c) ++ return context{state: stateDead} + case *parse.IfNode: + return e.escapeBranch(c, &n.BranchNode, "if") + case *parse.ListNode: +@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) context { + if b.state == stateError { + return b + } ++ if a.state == stateDead { ++ return b ++ } ++ if b.state == stateDead { ++ return a ++ } + if a.eq(b) { + return a + } +@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) context { + + // escapeBranch escapes a branch template node: "if", "range" and "with". + func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context { ++ if nodeName == "range" { ++ e.rangeContext = &rangeContext{outer: e.rangeContext} ++ } + c0 := e.escapeList(c, n.List) +- if nodeName == "range" && c0.state != stateError { ++ if nodeName == "range" { ++ if c0.state != stateError { ++ c0 = joinRange(c0, e.rangeContext) ++ } ++ e.rangeContext = e.rangeContext.outer ++ if c0.state == stateError { ++ return c0 ++ } ++ + // The "true" branch of a "range" node can execute multiple times. + // We check that executing n.List once results in the same context + // as executing n.List twice. ++ e.rangeContext = &rangeContext{outer: e.rangeContext} + c1, _ := e.escapeListConditionally(c0, n.List, nil) + c0 = join(c0, c1, n, nodeName) + if c0.state == stateError { ++ e.rangeContext = e.rangeContext.outer + // Make clear that this is a problem on loop re-entry + // since developers tend to overlook that branch when + // debugging templates. +@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + c0.err.Description = "on range loop re-entry: " + c0.err.Description + return c0 + } ++ c0 = joinRange(c0, e.rangeContext) ++ e.rangeContext = e.rangeContext.outer ++ if c0.state == stateError { ++ return c0 ++ } + } + c1 := e.escapeList(c, n.ElseList) + return join(c0, c1, n, nodeName) + } + ++func joinRange(c0 context, rc *rangeContext) context { ++ // Merge contexts at break and continue statements into overall body context. ++ // In theory we could treat breaks differently from continues, but for now it is ++ // enough to treat them both as going back to the start of the loop (which may then stop). ++ for _, c := range rc.breaks { ++ c0 = join(c0, c, c.n, "range") ++ if c0.state == stateError { ++ c0.err.Line = c.n.(*parse.BreakNode).Line ++ c0.err.Description = "at range loop break: " + c0.err.Description ++ return c0 ++ } ++ } ++ for _, c := range rc.continues { ++ c0 = join(c0, c, c.n, "range") ++ if c0.state == stateError { ++ c0.err.Line = c.n.(*parse.ContinueNode).Line ++ c0.err.Description = "at range loop continue: " + c0.err.Description ++ return c0 ++ } ++ } ++ return c0 ++} ++ + // escapeList escapes a list template node. + func (e *escaper) escapeList(c context, n *parse.ListNode) context { + if n == nil { +@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context { + } + for _, m := range n.Nodes { + c = e.escape(c, m) ++ if c.state == stateDead { ++ break ++ } + } + return c + } +@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context { + // which is the same as whether e was updated. + func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) { + e1 := makeEscaper(e.ns) ++ e1.rangeContext = e.rangeContext + // Make type inferences available to f. + for k, v := range e.output { + e1.output[k] = v +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index c709660..fa2b84a 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) { + "", + "", + }, ++ { ++ "{{range .Items}}{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}{{continue}}{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}{{break}}{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}{{if .X}}{{break}}{{end}}{{end}}", ++ "", ++ }, + // Error cases. + { + "{{if .Cond}}{{end}}", ++ "z:1:29: at range loop break: {{range}} branches end in different contexts", ++ }, ++ { ++ "{{range .Items}}{{end}}", ++ "z:1:29: at range loop continue: {{range}} branches end in different contexts", ++ }, ++ { + " 1 { + s.setTopVar(2, index) + } ++ defer s.pop(mark) ++ defer func() { ++ // Consume panic(walkContinue) ++ if r := recover(); r != nil && r != walkContinue { ++ panic(r) ++ } ++ }() + s.walk(elem, r.List) +- s.pop(mark) + } + switch val.Kind() { + case reflect.Array, reflect.Slice: +diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go +index 3309b33..a639f44 100644 +--- a/src/text/template/exec_test.go ++++ b/src/text/template/exec_test.go +@@ -563,6 +563,8 @@ var execTests = []execTest{ + {"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true}, + {"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true}, ++ {"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true}, ++ {"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true}, + {"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true}, + {"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true}, +diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go +index 6784071..95e3377 100644 +--- a/src/text/template/parse/lex.go ++++ b/src/text/template/parse/lex.go +@@ -62,6 +62,8 @@ const ( + // Keywords appear after all the rest. + itemKeyword // used only to delimit the keywords + itemBlock // block keyword ++ itemBreak // break keyword ++ itemContinue // continue keyword + itemDot // the cursor, spelled '.' + itemDefine // define keyword + itemElse // else keyword +@@ -76,6 +78,8 @@ const ( + var key = map[string]itemType{ + ".": itemDot, + "block": itemBlock, ++ "break": itemBreak, ++ "continue": itemContinue, + "define": itemDefine, + "else": itemElse, + "end": itemEnd, +@@ -119,6 +123,8 @@ type lexer struct { + parenDepth int // nesting depth of ( ) exprs + line int // 1+number of newlines seen + startLine int // start line of this item ++ breakOK bool // break keyword allowed ++ continueOK bool // continue keyword allowed + } + + // next returns the next rune in the input. +@@ -461,7 +467,12 @@ Loop: + } + switch { + case key[word] > itemKeyword: +- l.emit(key[word]) ++ item := key[word] ++ if item == itemBreak && !l.breakOK || item == itemContinue && !l.continueOK { ++ l.emit(itemIdentifier) ++ } else { ++ l.emit(item) ++ } + case word[0] == '.': + l.emit(itemField) + case word == "true", word == "false": +diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go +index 6510eed..df6aabf 100644 +--- a/src/text/template/parse/lex_test.go ++++ b/src/text/template/parse/lex_test.go +@@ -35,6 +35,8 @@ var itemName = map[itemType]string{ + // keywords + itemDot: ".", + itemBlock: "block", ++ itemBreak: "break", ++ itemContinue: "continue", + itemDefine: "define", + itemElse: "else", + itemIf: "if", +diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go +index a9dad5e..c398da0 100644 +--- a/src/text/template/parse/node.go ++++ b/src/text/template/parse/node.go +@@ -71,6 +71,8 @@ const ( + NodeVariable // A $ variable. + NodeWith // A with action. + NodeComment // A comment. ++ NodeBreak // A break action. ++ NodeContinue // A continue action. + ) + + // Nodes. +@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node { + return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), i.List.CopyList(), i.ElseList.CopyList()) + } + ++// BreakNode represents a {{break}} action. ++type BreakNode struct { ++ tr *Tree ++ NodeType ++ Pos ++ Line int ++} ++ ++func (t *Tree) newBreak(pos Pos, line int) *BreakNode { ++ return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: line} ++} ++ ++func (b *BreakNode) Copy() Node { return b.tr.newBreak(b.Pos, b.Line) } ++func (b *BreakNode) String() string { return "{{break}}" } ++func (b *BreakNode) tree() *Tree { return b.tr } ++func (b *BreakNode) writeTo(sb *strings.Builder) { sb.WriteString("{{break}}") } ++ ++// ContinueNode represents a {{continue}} action. ++type ContinueNode struct { ++ tr *Tree ++ NodeType ++ Pos ++ Line int ++} ++ ++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode { ++ return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, Line: line} ++} ++ ++func (c *ContinueNode) Copy() Node { return c.tr.newContinue(c.Pos, c.Line) } ++func (c *ContinueNode) String() string { return "{{continue}}" } ++func (c *ContinueNode) tree() *Tree { return c.tr } ++func (c *ContinueNode) writeTo(sb *strings.Builder) { sb.WriteString("{{continue}}") } ++ + // RangeNode represents a {{range}} action and its commands. + type RangeNode struct { + BranchNode +diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go +index 5e6e512..7f78b56 100644 +--- a/src/text/template/parse/parse.go ++++ b/src/text/template/parse/parse.go +@@ -31,6 +31,7 @@ type Tree struct { + vars []string // variables defined at the moment. + treeSet map[string]*Tree + actionLine int // line of left delim starting action ++ rangeDepth int + mode Mode + } + +@@ -223,6 +224,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, lex *lexer, treeSet ma + t.vars = []string{"$"} + t.funcs = funcs + t.treeSet = treeSet ++ lex.breakOK = !t.hasFunction("break") ++ lex.continueOK = !t.hasFunction("continue") + } + + // stopParse terminates parsing. +@@ -385,6 +388,10 @@ func (t *Tree) action() (n Node) { + switch token := t.nextNonSpace(); token.typ { + case itemBlock: + return t.blockControl() ++ case itemBreak: ++ return t.breakControl(token.pos, token.line) ++ case itemContinue: ++ return t.continueControl(token.pos, token.line) + case itemElse: + return t.elseControl() + case itemEnd: +@@ -404,6 +411,32 @@ func (t *Tree) action() (n Node) { + return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim)) + } + ++// Break: ++// {{break}} ++// Break keyword is past. ++func (t *Tree) breakControl(pos Pos, line int) Node { ++ if token := t.next(); token.typ != itemRightDelim { ++ t.unexpected(token, "in {{break}}") ++ } ++ if t.rangeDepth == 0 { ++ t.errorf("{{break}} outside {{range}}") ++ } ++ return t.newBreak(pos, line) ++} ++ ++// Continue: ++// {{continue}} ++// Continue keyword is past. ++func (t *Tree) continueControl(pos Pos, line int) Node { ++ if token := t.next(); token.typ != itemRightDelim { ++ t.unexpected(token, "in {{continue}}") ++ } ++ if t.rangeDepth == 0 { ++ t.errorf("{{continue}} outside {{range}}") ++ } ++ return t.newContinue(pos, line) ++} ++ + // Pipeline: + // declarations? command ('|' command)* + func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) { +@@ -479,8 +512,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) { + func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) { + defer t.popVars(len(t.vars)) + pipe = t.pipeline(context, itemRightDelim) ++ if context == "range" { ++ t.rangeDepth++ ++ } + var next Node + list, next = t.itemList() ++ if context == "range" { ++ t.rangeDepth-- ++ } + switch next.Type() { + case nodeEnd: //done + case nodeElse: +@@ -522,7 +561,8 @@ func (t *Tree) ifControl() Node { + // {{range pipeline}} itemList {{else}} itemList {{end}} + // Range keyword is past. + func (t *Tree) rangeControl() Node { +- return t.newRange(t.parseControl(false, "range")) ++ r := t.newRange(t.parseControl(false, "range")) ++ return r + } + + // With: +diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go +index 220f984..ba45636 100644 +--- a/src/text/template/parse/parse_test.go ++++ b/src/text/template/parse/parse_test.go +@@ -230,6 +230,10 @@ var parseTests = []parseTest{ + `{{range $x := .SI}}{{.}}{{end}}`}, + {"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError, + `{{range $x, $y := .SI}}{{.}}{{end}}`}, ++ {"range with break", "{{range .SI}}{{.}}{{break}}{{end}}", noError, ++ `{{range .SI}}{{.}}{{break}}{{end}}`}, ++ {"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}", noError, ++ `{{range .SI}}{{.}}{{continue}}{{end}}`}, + {"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError, + `{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`}, + {"template", "{{template `x`}}", noError, +@@ -279,6 +283,10 @@ var parseTests = []parseTest{ + {"adjacent args", "{{printf 3`x`}}", hasError, ""}, + {"adjacent args with .", "{{printf `x`.}}", hasError, ""}, + {"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", hasError, ""}, ++ {"break outside range", "{{range .}}{{end}} {{break}}", hasError, ""}, ++ {"continue outside range", "{{range .}}{{end}} {{continue}}", hasError, ""}, ++ {"break in range else", "{{range .}}{{else}}{{break}}{{end}}", hasError, ""}, ++ {"continue in range else", "{{range .}}{{else}}{{continue}}{{end}}", hasError, ""}, + // Other kinds of assignments and operators aren't available yet. + {"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"}, + {"bug0b", "{{$x += 1}}{{$x}}", hasError, ""}, +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch similarity index 53% rename from meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch rename to meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch index d5bb33e091..baf400b891 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538_6.patch @@ -1,7 +1,7 @@ From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Mon, 20 Mar 2023 11:01:13 -0700 -Subject: [PATCH 3/3] html/template: disallow actions in JS template literals +Subject: [PATCH 6/6] html/template: disallow actions in JS template literals ECMAScript 6 introduced template literals[0][1] which are delimited with backticks. These need to be escaped in a similar fashion to the @@ -52,12 +52,15 @@ CVE: CVE-2023-24538 Signed-off-by: Shubham Kulkarni --- src/html/template/context.go | 2 ++ - src/html/template/error.go | 13 +++++++++++++ - src/html/template/escape.go | 11 +++++++++++ + src/html/template/error.go | 13 ++++++++ + src/html/template/escape.go | 11 +++++++ + src/html/template/escape_test.go | 66 ++++++++++++++++++++++----------------- src/html/template/js.go | 2 ++ - src/html/template/jsctx_string.go | 9 +++++++++ - src/html/template/transition.go | 7 ++++++- - 6 files changed, 43 insertions(+), 1 deletion(-) + src/html/template/js_test.go | 2 +- + src/html/template/jsctx_string.go | 9 ++++++ + src/html/template/state_string.go | 37 ++++++++++++++++++++-- + src/html/template/transition.go | 7 ++++- + 9 files changed, 116 insertions(+), 33 deletions(-) diff --git a/src/html/template/context.go b/src/html/template/context.go index f7d4849..0b65313 100644 @@ -125,6 +128,104 @@ index f12dafa..29ca5b3 100644 case stateJSRegexp: s = append(s, "_html_template_jsregexpescaper") case stateCSS: +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index fa2b84a..1b150e9 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) { + } + + for _, test := range tests { +- tmpl := New(test.name) +- tmpl = Must(tmpl.Parse(test.input)) +- // Check for bug 6459: Tree field was not set in Parse. +- if tmpl.Tree != tmpl.text.Tree { +- t.Errorf("%s: tree not set properly", test.name) +- continue +- } +- b := new(bytes.Buffer) +- if err := tmpl.Execute(b, data); err != nil { +- t.Errorf("%s: template execution failed: %s", test.name, err) +- continue +- } +- if w, g := test.output, b.String(); w != g { +- t.Errorf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g) +- continue +- } +- b.Reset() +- if err := tmpl.Execute(b, pdata); err != nil { +- t.Errorf("%s: template execution failed for pointer: %s", test.name, err) +- continue +- } +- if w, g := test.output, b.String(); w != g { +- t.Errorf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g) +- continue +- } +- if tmpl.Tree != tmpl.text.Tree { +- t.Errorf("%s: tree mismatch", test.name) +- continue +- } ++ t.Run(test.name, func(t *testing.T) { ++ tmpl := New(test.name) ++ tmpl = Must(tmpl.Parse(test.input)) ++ // Check for bug 6459: Tree field was not set in Parse. ++ if tmpl.Tree != tmpl.text.Tree { ++ t.Fatalf("%s: tree not set properly", test.name) ++ } ++ b := new(strings.Builder) ++ if err := tmpl.Execute(b, data); err != nil { ++ t.Fatalf("%s: template execution failed: %s", test.name, err) ++ } ++ if w, g := test.output, b.String(); w != g { ++ t.Fatalf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g) ++ } ++ b.Reset() ++ if err := tmpl.Execute(b, pdata); err != nil { ++ t.Fatalf("%s: template execution failed for pointer: %s", test.name, err) ++ } ++ if w, g := test.output, b.String(); w != g { ++ t.Fatalf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g) ++ } ++ if tmpl.Tree != tmpl.text.Tree { ++ t.Fatalf("%s: tree mismatch", test.name) ++ } ++ }) + } + } + +@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) { + "{{range .Items}}{{if .X}}{{break}}{{end}}{{end}}", + "", + }, ++ { ++ "`", ++ "", ++ }, + // Error cases. + { + "{{if .Cond}}var tmpl = `asd {{.}}`;", ++ `{{.}} appears in a JS template literal`, ++ }, + } + for _, test := range tests { + buf := new(bytes.Buffer) +@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) { + context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript}, + }, + { ++ "= state(len(_state_index)-1) { diff --git a/src/html/template/transition.go b/src/html/template/transition.go index 06df679..92eb351 100644 --- a/src/html/template/transition.go diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch index 20e70c0485..00def8fcda 100644 --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39318.patch @@ -34,9 +34,9 @@ Signed-off-by: Siddharth Doshi src/html/template/context.go | 6 ++- src/html/template/escape.go | 5 +- src/html/template/escape_test.go | 10 ++++ - src/html/template/state_string.go | 4 +- + src/html/template/state_string.go | 26 +++++----- src/html/template/transition.go | 80 ++++++++++++++++++++----------- - 5 files changed, 72 insertions(+), 33 deletions(-) + 5 files changed, 84 insertions(+), 43 deletions(-) diff --git a/src/html/template/context.go b/src/html/template/context.go index 0b65313..4eb7891 100644 @@ -105,14 +105,38 @@ diff --git a/src/html/template/state_string.go b/src/html/template/state_string. index 05104be..b5cfe70 100644 --- a/src/html/template/state_string.go +++ b/src/html/template/state_string.go -@@ -4,9 +4,9 @@ package template - - import "strconv" +@@ -25,21 +25,23 @@ func _() { + _ = x[stateJSRegexp-14] + _ = x[stateJSBlockCmt-15] + _ = x[stateJSLineCmt-16] +- _ = x[stateCSS-17] +- _ = x[stateCSSDqStr-18] +- _ = x[stateCSSSqStr-19] +- _ = x[stateCSSDqURL-20] +- _ = x[stateCSSSqURL-21] +- _ = x[stateCSSURL-22] +- _ = x[stateCSSBlockCmt-23] +- _ = x[stateCSSLineCmt-24] +- _ = x[stateError-25] +- _ = x[stateDead-26] ++ _ = x[stateJSHTMLOpenCmt-17] ++ _ = x[stateJSHTMLCloseCmt-18] ++ _ = x[stateCSS-19] ++ _ = x[stateCSSDqStr-20] ++ _ = x[stateCSSSqStr-21] ++ _ = x[stateCSSDqURL-22] ++ _ = x[stateCSSSqURL-23] ++ _ = x[stateCSSURL-24] ++ _ = x[stateCSSBlockCmt-25] ++ _ = x[stateCSSLineCmt-26] ++ _ = x[stateError-27] ++ _ = x[stateDead-28] + } --const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError" +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" +const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" --var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296} +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317} +var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354} func (i state) String() string { From patchwork Tue Oct 10 14:14:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31936 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E3A9CD8C93 for ; Tue, 10 Oct 2023 14:14:50 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.92771.1696947281691069657 for ; Tue, 10 Oct 2023 07:14:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=rzLxE5cX; spf=temperror, err=temporary DNS error (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1c434c33ec0so35032065ad.3 for ; Tue, 10 Oct 2023 07:14:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947281; x=1697552081; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=trQt569343pG/iNcUia0OHa1KN8yMz8aGFtDUn/CY/o=; b=rzLxE5cXCwgkqfdEICneWoOP83M/37xLMPVY/vteujKweyU8jDOq6qXQtyiC4RRelD Kq7eXH4gpquosO9hg0+D7UccHQ3nl+csNrR8Msp5rSSD9Tx1b1/lAVJyQ0diVdSK/X8a 8JajzBxalRTu8Bj70zLdO7Ryt+4dNdQOofHrbU7tV/9nykQP8/CsmEJiCzbs+mJ6hjRh eASIYL6V8sNEa7UVyxYgv4cJXVWj/Wa4Xi69CbKEepqofvch/JdCoX6S1LrcrS/UECQD nRkpNn7YnBpJgT0oxUR2amXPplE/9xFiT+murLWRcqNPJ1f78jsSjUHUofHOCZ8GhEOX W7Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947281; x=1697552081; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=trQt569343pG/iNcUia0OHa1KN8yMz8aGFtDUn/CY/o=; b=djZunwIlKKQiFXLPJy7v25GA4vtPGvkxFG/sJcJP+UE6PIgMPpnzB8QtTbcyoWxr+S b1Wakek8BRgsj+TmoCAARBPAw22X3G7elFvGzLt7ZaMqt0vHskIi3XEdatEqz/TdyKA9 EbdD3OJcqKBm9GeUr4MZR80f0F4GmgJqnO0B2rCE0aZwdEnG6hSygkRJbdhkf7Z6Qe2w GEBWB2QPWvArDDVx46GjbfGhYtlpj/sz25zckTz9cpGobbPbO6UJMWAYn0yCD/yJSG2d W1bF9tHcbudWgcIgalVP8gC+oLa7tQ0hu7KMPbf+b2yDtii4LQMHqUrizCIF+P80LbEp 5QEA== X-Gm-Message-State: AOJu0YyJE8LJLHa9OkDBPW7QGsCa1XWB/kvKTyEGr2DQvyJ4qw6EIEnW IOVDOSdm1EDnD1h4U7M9uqAsDOOqOiE7VApSPoo= X-Google-Smtp-Source: AGHT+IEcnUDMRdNwbVJa7oeI+vOQiANoxXoORtmgZmgT4Hl+6Y9qUctHMyK0e3VZMBszTS9NEeUvkA== X-Received: by 2002:a17:902:eccc:b0:1c4:44a0:5c03 with SMTP id a12-20020a170902eccc00b001c444a05c03mr19134840plh.9.1696947280606; Tue, 10 Oct 2023 07:14:40 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/11] dbus: Backport fix for CVE-2023-34969 Date: Tue, 10 Oct 2023 04:14:21 -1000 Message-Id: <42bf7fee204890b15f80bf0749431aefb33efd99.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188901 From: Julian Haller Upstream commit https://gitlab.freedesktop.org/dbus/dbus/-/commit/37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Signed-off-by: Julian Haller Signed-off-by: Steve Sakoman --- meta/recipes-core/dbus/dbus.inc | 1 + .../dbus/dbus/CVE-2023-34969.patch | 96 +++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 meta/recipes-core/dbus/dbus/CVE-2023-34969.patch diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index 82e91c7b13..948aaf2e24 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc @@ -8,6 +8,7 @@ SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ file://tmpdir.patch \ file://dbus-1.init \ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ + file://CVE-2023-34969.patch \ " SRC_URI[sha256sum] = "bc42d196c1756ac520d61bf3ccd6f42013617def45dd1e591a6091abf51dca38" diff --git a/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch new file mode 100644 index 0000000000..8f29185cf6 --- /dev/null +++ b/meta/recipes-core/dbus/dbus/CVE-2023-34969.patch @@ -0,0 +1,96 @@ +From 37a4dc5835731a1f7a81f1b67c45b8dfb556dd1c Mon Sep 17 00:00:00 2001 +From: hongjinghao +Date: Mon, 5 Jun 2023 18:17:06 +0100 +Subject: [PATCH] bus: Assign a serial number for messages from the driver + +Normally, it's enough to rely on a message being given a serial number +by the DBusConnection just before it is actually sent. However, in the +rare case where the policy blocks the driver from sending a message +(due to a deny rule or the outgoing message quota being full), we need +to get a valid serial number sooner, so that we can copy it into the +DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error +message sent to monitors. Otherwise, the dbus-daemon will crash with +an assertion failure if at least one Monitoring client is attached, +because zero is not a valid serial number to copy. + +This fixes a denial-of-service vulnerability: if a privileged user is +monitoring the well-known system bus using a Monitoring client like +dbus-monitor or `busctl monitor`, then an unprivileged user can cause +denial-of-service by triggering this crash. A mitigation for this +vulnerability is to avoid attaching Monitoring clients to the system +bus when they are not needed. If there are no Monitoring clients, then +the vulnerable code is not reached. + +Co-authored-by: Simon McVittie +Resolves: dbus/dbus#457 +(cherry picked from commit b159849e031000d1dbc1ab876b5fc78a3ce9b534) +--- + bus/connection.c | 15 +++++++++++++++ + dbus/dbus-connection-internal.h | 2 ++ + dbus/dbus-connection.c | 11 ++++++++++- + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/bus/connection.c b/bus/connection.c +index b3583433..215f0230 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -2350,6 +2350,21 @@ bus_transaction_send_from_driver (BusTransaction *transaction, + if (!dbus_message_set_sender (message, DBUS_SERVICE_DBUS)) + return FALSE; + ++ /* Make sure the message has a non-zero serial number, otherwise ++ * bus_transaction_capture_error_reply() will not be able to mock up ++ * a corresponding reply for it. Normally this would be delayed until ++ * the first time we actually send the message out from a ++ * connection, when the transaction is committed, but that's too late ++ * in this case. ++ */ ++ if (dbus_message_get_serial (message) == 0) ++ { ++ dbus_uint32_t next_serial; ++ ++ next_serial = _dbus_connection_get_next_client_serial (connection); ++ dbus_message_set_serial (message, next_serial); ++ } ++ + if (bus_connection_is_active (connection)) + { + if (!dbus_message_set_destination (message, +diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h +index 48357321..ba79b192 100644 +--- a/dbus/dbus-connection-internal.h ++++ b/dbus/dbus-connection-internal.h +@@ -54,6 +54,8 @@ DBUS_PRIVATE_EXPORT + DBusConnection * _dbus_connection_ref_unlocked (DBusConnection *connection); + DBUS_PRIVATE_EXPORT + void _dbus_connection_unref_unlocked (DBusConnection *connection); ++DBUS_PRIVATE_EXPORT ++dbus_uint32_t _dbus_connection_get_next_client_serial (DBusConnection *connection); + void _dbus_connection_queue_received_message_link (DBusConnection *connection, + DBusList *link); + dbus_bool_t _dbus_connection_has_messages_to_send_unlocked (DBusConnection *connection); +diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c +index c525b6dc..09cef278 100644 +--- a/dbus/dbus-connection.c ++++ b/dbus/dbus-connection.c +@@ -1456,7 +1456,16 @@ _dbus_connection_unref_unlocked (DBusConnection *connection) + _dbus_connection_last_unref (connection); + } + +-static dbus_uint32_t ++/** ++ * Allocate and return the next non-zero serial number for outgoing messages. ++ * ++ * This method is only valid to call from single-threaded code, such as ++ * the dbus-daemon, or with the connection lock held. ++ * ++ * @param connection the connection ++ * @returns A suitable serial number for the next message to be sent on the connection. ++ */ ++dbus_uint32_t + _dbus_connection_get_next_client_serial (DBusConnection *connection) + { + dbus_uint32_t serial; +-- +2.25.1 + From patchwork Tue Oct 10 14:14:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31929 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC864CD8C82 for ; Tue, 10 Oct 2023 14:14:49 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.92773.1696947283207056075 for ; Tue, 10 Oct 2023 07:14:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=puetVxgJ; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1c8a6aa0cd1so13285255ad.0 for ; Tue, 10 Oct 2023 07:14:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947282; x=1697552082; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=HN9zD2PGOdTdnzgzgKz8vBJd4wD7iS49IYviXI64Yus=; b=puetVxgJYOHxWzDY8H3UHAJ4XII/sMXkuUVnbz/N3HbyKPlIqQ9O/cNsb84XK670Ns UwUwfpA63GGmTtYJRjDBT8Grgin+D9159CorC8kGrUSkYAbkOxD9QAhn0Rs3+NH/V13B rSKTmBqxCmQvXMhaambBeBRlbMqI/JZCQhQjrWWwQWj95m8znTHO6KJ2GtV3TZQg2ayl ECo8x7U4nRf3ks7gvm4FjkYM2PihN8WPnsPYkg4cbD70Q1i+0s1oiLLE3LnXwH9GLU8p bhvhbKltiECuylCWBVF1MDqE9wMJZBo03b6iTH2KiigcxNtgE7vVvCEroPZuzGqVjZjt ISAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947282; x=1697552082; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HN9zD2PGOdTdnzgzgKz8vBJd4wD7iS49IYviXI64Yus=; b=jFRtvTHTriMDxVuolTxeBJFhaOmpZOuzsd0euqGzTpGBy+www44ZKR7amXVeP49CA8 r2IycuqQx8wPku7JVr6/abgYggXTOlsmvhhYq5Jhf2Z1VDvTptgXEPIYlFHXeCVxbjgV TObh0F+5lywtt+Viefvkq0eoldNjP155OlR6UhAiA+x4W2Q7DsZHiQ++r3/TLKocAZWD 4T3/X83kOYsu0N6isfG9/+8efHa0rxO5aCk35Djm5RaeyJQsJ3/vvTJIQa5HGGXF2nWg HYg5mkdK/ET47jrgm72/X1RRzZfi56VYZ9plmc0phfLfcBSMOHrJdYwY/gdiCnrSHBRk xQxg== X-Gm-Message-State: AOJu0YzojY/iLGKtF1FQVbOVelY6Knes2xxF+N+/do9Dp+62fSPo7Blr 8flHltArXsCvSDcBazt/7Xu4cflgf/SZC6w4dKA= X-Google-Smtp-Source: AGHT+IFzQ88khqr9doDEZo16M1m5bBIzyf0rMyI4WCL1lkLhOXEXnpAgRb306kkDM7FI+WaGE8FtNQ== X-Received: by 2002:a17:903:22c8:b0:1c1:d4f4:cd3c with SMTP id y8-20020a17090322c800b001c1d4f4cd3cmr17562889plg.31.1696947282309; Tue, 10 Oct 2023 07:14:42 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/11] dbus: Add missing CVE_PRODUCT Date: Tue, 10 Oct 2023 04:14:22 -1000 Message-Id: <922872c85d417a5a319aa4beef57ffa4d05faf27.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188903 From: Julian Haller The current dunfell CVE scans report 0 CVEs for our dbus version. This is not correct, though, as we use the wrong product name to query it. Fix this to get a proper CVE list. Signed-off-by: Julian Haller Signed-off-by: Steve Sakoman --- meta/recipes-core/dbus/dbus.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc index 948aaf2e24..9b5cc53d92 100644 --- a/meta/recipes-core/dbus/dbus.inc +++ b/meta/recipes-core/dbus/dbus.inc @@ -32,3 +32,5 @@ PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm" PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session" PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,," + +CVE_PRODUCT += "d-bus_project:d-bus freedesktop:dbus freedesktop:libdbus" From patchwork Tue Oct 10 14:14:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31932 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9C41CD8C8B for ; Tue, 10 Oct 2023 14:14:49 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.92775.1696947284681191862 for ; Tue, 10 Oct 2023 07:14:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=D7u8Nqc0; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1bf55a81eeaso38547225ad.0 for ; Tue, 10 Oct 2023 07:14:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947284; x=1697552084; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DRnMC8z1BTuG9FoSiG/nitIMKKEVsyUhPwn4ps8/R4c=; b=D7u8Nqc07+dKXvxHsyOPswUufIxaQOFYZclFyx9mO+VhJ6Fff5/UKojFOxDdGCyTWg s8m3vsEGf1FaHSSXkqtD2QF2IR5I/2ZqTBqUPZzi6z705hxBJWIq3HuowHWsnvH/apeV +0agJXC2ffh45oDf96KPIXnefi7MiA6zjPUoEUBYiUp1HtvZ8NA2Q/hyW2Q4Co4gWTHg 68roaM2ALB4VRu5R+RE4doN2QKDkWNA+rWbw4UT/oBeq8INo217x+d78GgHt/SUcqiXw ZHyoGOJ8n9upBZbWkS0PcNWe5M72tB2sJZEPCEYaSuCAvRVctrqOqsDnfR58Yu9PqQEI 6gfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947284; x=1697552084; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DRnMC8z1BTuG9FoSiG/nitIMKKEVsyUhPwn4ps8/R4c=; b=R+uhCtsTXljAnfWm8L0pz74L/T2PaVCukuCDP5/cj0We0oabPuuDLBG+zXfY/Jy7Gn E40LjqQOsOGzPO4iaXob1nw4Zy8r/hwHcEfDBjHXn8twvw0/a6GaSaHIBeMPLBKiKo22 taDxJLZ485a/WfGJO4YusN/XF8q62FzJFiy2fSB5dADtd1qvuVINLGbXZfxBVjuiTmNc Yvs7wSK/3x8nYQ9dk25JXwldTVz1NVis93Zs3YBRBZLBuSdzMov8hFhOp3WpHdh9HoT1 d8j4zsrZmy7gKKf6pni5IMYeH0VdZTY/fvgVH0QbiIVIIUSWOzJ65T6QsEnn1wZmcLjz E24A== X-Gm-Message-State: AOJu0YxjT3bbxdSNXqa6w3Om+xoYIH94T9/rTjfEsqbpMvmdcmtCIE89 5PeJZ1yvOq4ZnMKi/prD/wQyUbnApN4lYOCHtXg= X-Google-Smtp-Source: AGHT+IEXnQLAto1+VLd5vW0WNKDX5eVSlWVmPzog0qz0HcNx/dyGpZPgDIYj+SmN8ePoCjd7gdCVoQ== X-Received: by 2002:a17:903:2689:b0:1c9:b1f7:ec6c with SMTP id jf9-20020a170903268900b001c9b1f7ec6cmr1603518plb.56.1696947283734; Tue, 10 Oct 2023 07:14:43 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/11] xdg-utils: Fix CVE-2022-4055 Date: Tue, 10 Oct 2023 04:14:23 -1000 Message-Id: <22d2c549ba6d8be137d1d290d9a04691ca1858f2.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188904 From: Hitendra Prajapati Upstream-Status: Backport from https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../xdg-utils/xdg-utils/CVE-2022-4055.patch | 165 ++++++++++++++++++ .../xdg-utils/xdg-utils_1.1.3.bb | 1 + 2 files changed, 166 insertions(+) create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch diff --git a/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch new file mode 100644 index 0000000000..383634ad53 --- /dev/null +++ b/meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch @@ -0,0 +1,165 @@ +From f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780 Mon Sep 17 00:00:00 2001 +From: Gabriel Corona +Date: Thu, 25 Aug 2022 23:51:45 +0200 +Subject: [PATCH] Disable special support for Thunderbird in xdg-email (fixes + CVE-2020-27748, CVE-2022-4055) + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xdg/xdg-utils/-/commit/f67c4d1f8bd2e3cbcb9eb49f5e897075e7426780] +CVE: CVE-2022-4055 +Signed-off-by: Hitendra Prajapati +--- + scripts/xdg-email.in | 108 ------------------------------------------- + 1 file changed, 108 deletions(-) + +diff --git a/scripts/xdg-email.in b/scripts/xdg-email.in +index 13ba2d5..b700679 100644 +--- a/scripts/xdg-email.in ++++ b/scripts/xdg-email.in +@@ -30,76 +30,8 @@ _USAGE + + #@xdg-utils-common@ + +-run_thunderbird() +-{ +- local THUNDERBIRD MAILTO NEWMAILTO TO CC BCC SUBJECT BODY +- THUNDERBIRD="$1" +- MAILTO=$(echo "$2" | sed 's/^mailto://') +- echo "$MAILTO" | grep -qs "^?" +- if [ "$?" = "0" ] ; then +- MAILTO=$(echo "$MAILTO" | sed 's/^?//') +- else +- MAILTO=$(echo "$MAILTO" | sed 's/^/to=/' | sed 's/?/\&/') +- fi +- +- MAILTO=$(echo "$MAILTO" | sed 's/&/\n/g') +- TO=$(/bin/echo -e $(echo "$MAILTO" | grep '^to=' | sed 's/^to=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- CC=$(/bin/echo -e $(echo "$MAILTO" | grep '^cc=' | sed 's/^cc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- BCC=$(/bin/echo -e $(echo "$MAILTO" | grep '^bcc=' | sed 's/^bcc=//;s/%\(..\)/\\x\1/g' | awk '{ printf "%s,",$0 }')) +- SUBJECT=$(echo "$MAILTO" | grep '^subject=' | tail -n 1) +- BODY=$(echo "$MAILTO" | grep '^body=' | tail -n 1) +- +- if [ -z "$TO" ] ; then +- NEWMAILTO= +- else +- NEWMAILTO="to='$TO'" +- fi +- if [ -n "$CC" ] ; then +- NEWMAILTO="${NEWMAILTO},cc='$CC'" +- fi +- if [ -n "$BCC" ] ; then +- NEWMAILTO="${NEWMAILTO},bcc='$BCC'" +- fi +- if [ -n "$SUBJECT" ] ; then +- NEWMAILTO="${NEWMAILTO},$SUBJECT" +- fi +- if [ -n "$BODY" ] ; then +- NEWMAILTO="${NEWMAILTO},$BODY" +- fi +- +- NEWMAILTO=$(echo "$NEWMAILTO" | sed 's/^,//') +- DEBUG 1 "Running $THUNDERBIRD -compose \"$NEWMAILTO\"" +- "$THUNDERBIRD" -compose "$NEWMAILTO" +- if [ $? -eq 0 ]; then +- exit_success +- else +- exit_failure_operation_failed +- fi +-} +- + open_kde() + { +- if [ -n "$KDE_SESSION_VERSION" ] && [ "$KDE_SESSION_VERSION" -ge 5 ]; then +- local kreadconfig=kreadconfig$KDE_SESSION_VERSION +- else +- local kreadconfig=kreadconfig +- fi +- +- if which $kreadconfig >/dev/null 2>&1; then +- local profile=$($kreadconfig --file emaildefaults \ +- --group Defaults --key Profile) +- if [ -n "$profile" ]; then +- local client=$($kreadconfig --file emaildefaults \ +- --group "PROFILE_$profile" \ +- --key EmailClient \ +- | cut -d ' ' -f 1) +- +- if echo "$client" | grep -Eq 'thunderbird|icedove'; then +- run_thunderbird "$client" "$1" +- fi +- fi +- fi +- + local command + case "$KDE_SESSION_VERSION" in + '') command=kmailservice ;; +@@ -130,15 +62,6 @@ open_kde() + + open_gnome3() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -159,13 +82,6 @@ open_gnome3() + + open_gnome() + { +- local client +- client=`gconftool-2 --get /desktop/gnome/url-handlers/mailto/command | cut -d ' ' -f 1` || "" +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + if gio help open 2>/dev/null 1>&2; then + DEBUG 1 "Running gio open \"$1\"" + gio open "$1" +@@ -231,15 +147,6 @@ open_flatpak() + + open_generic() + { +- local client +- local desktop +- desktop=`xdg-mime query default "x-scheme-handler/mailto"` +- client=`desktop_file_to_binary "$desktop"` +- echo $client | grep -E 'thunderbird|icedove' > /dev/null 2>&1 +- if [ $? -eq 0 ] ; then +- run_thunderbird "$client" "$1" +- fi +- + xdg-open "$1" + local ret=$? + +@@ -364,21 +271,6 @@ while [ $# -gt 0 ] ; do + shift + ;; + +- --attach) +- if [ -z "$1" ] ; then +- exit_failure_syntax "file argument missing for --attach option" +- fi +- check_input_file "$1" +- file=`readlink -f "$1"` # Normalize path +- if [ -z "$file" ] || [ ! -f "$file" ] ; then +- exit_failure_file_missing "file '$1' does not exist" +- fi +- +- url_encode "$file" +- options="${options}attach=${result}&" +- shift +- ;; +- + -*) + exit_failure_syntax "unexpected option '$parm'" + ;; +-- +2.25.1 + diff --git a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb index 41b74b8598..f6989430f5 100644 --- a/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb +++ b/meta/recipes-extended/xdg-utils/xdg-utils_1.1.3.bb @@ -21,6 +21,7 @@ SRC_URI = "https://portland.freedesktop.org/download/${BPN}-${PV}.tar.gz \ file://0001-Reinstate-xdg-terminal.patch \ file://0001-Don-t-build-the-in-script-manual.patch \ file://1f199813e0eb0246f63b54e9e154970e609575af.patch \ + file://CVE-2022-4055.patch \ " SRC_URI[md5sum] = "902042508b626027a3709d105f0b63ff" From patchwork Tue Oct 10 14:14:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31935 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00D95CD8C90 for ; Tue, 10 Oct 2023 14:14:50 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.92777.1696947286196978324 for ; Tue, 10 Oct 2023 07:14:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Z6gTkc6Q; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1c61bde0b4bso48403025ad.3 for ; Tue, 10 Oct 2023 07:14:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947285; x=1697552085; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Sqs6G5dCREITbPRgSUAU6tv6PDsdVsfIN6p5nvGRuVg=; b=Z6gTkc6Qvd0pHdc3LZwm3tMOOj/RQiNjqx/sdLbFif+GtYdAEOunBoup43+DGLarRb R63t40n0k0Cu+yOuzAYPsqsL5KfLA8c5iF51f+oGQj0HniBgU5HZrGw++iM6oTevzFKj ydng/0i7KbV/XHSpPSnRJMpMDiIKqq+BoHx6C3IlbL3snJR2/xTHWVpmE6gJkAWjxka3 v9w6L86hZ/LLUkkOuSQQPg7Aw+n9bL/AJ8kEu701aYofVxi8paMzygYGVpPwMyTPu2Cn wbq8GDTy7vAWNC/1WH8pr4T1+0qjBp6VVJWja+0W/BjC5vbysZtdt2w7xpUdi7fwHobc 3N8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947285; x=1697552085; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Sqs6G5dCREITbPRgSUAU6tv6PDsdVsfIN6p5nvGRuVg=; b=jiw7+/Klop9jLgaoZTYTd5LFbyo5+ofSiGI+DzupZZWtyRXfy6PiqAZA2V9BuARnCK W4bBxBJAS8BjMjdiBn4/KEbqvfpsx7/4ckAZ3MgQ8JwY/IxyTtSmkCzwBGyXJW9iPSfg 8wd38tkteIM2Je38x10SjZZbUMWXzH15U3KRlf1jdWNMVkIdczZ4ENAw2w+SqRVo4lje ELhizYhExwpC9QEYSoL/5L54dY+7VRy+aWULUJsulGle3bFnw0hY7aZkBCufgWeFRXkr SC+zLsG3gez/adjgXEdyQWfDOlRqzTz9QQRqfdzrGMV7EkP5bxxYJK6MJJha+LPWyee0 DBng== X-Gm-Message-State: AOJu0YzL+pVuldA2g03aFZaLlgrRTcDY8R0SaZN/GMAbe2r4abolGI8X Wfl9K6I5fLBsuOPasDdMw495dJcWQEYHs2P5x6s= X-Google-Smtp-Source: AGHT+IFr115ai0F1iJSjftXHra0i2c/AAPtuYfTlZpYPKylWelfeROICkP1Pp3Jd7lflSS3lrmYmFw== X-Received: by 2002:a17:902:c3cd:b0:1c6:1cd8:5b59 with SMTP id j13-20020a170902c3cd00b001c61cd85b59mr17949495plj.1.1696947285305; Tue, 10 Oct 2023 07:14:45 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/11] libpcre2 : Follow up fix CVE-2022-1586 Date: Tue, 10 Oct 2023 04:14:24 -1000 Message-Id: <7e2fe508b456207fd991ece7621ef8ba24b89e59.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188905 From: Shinu Chandran CVE-2022-1586 was originally fixed by OE commit https://github.com/openembedded/openembedded-core/commit/7f4daf88b71f through libpcre2 commit https://github.com/PCRE2Project/pcre2/commit/50a51cb7e672 The follow up patch is required to resolve a bug in the initial fix[50a51cb7e672] https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-1586 https://security-tracker.debian.org/tracker/CVE-2022-1586 Signed-off-by: Shinu Chandran Signed-off-by: Steve Sakoman --- .../libpcre2/CVE-2022-1586-regression.patch | 30 +++++++++++++++++++ .../recipes-support/libpcre/libpcre2_10.34.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch new file mode 100644 index 0000000000..42ee417fe7 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch @@ -0,0 +1,30 @@ +From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001 +From: Zoltan Herczeg +Date: Thu, 24 Mar 2022 05:34:42 +0000 +Subject: [PATCH] Fix incorrect value reading in JIT. + +CVE: CVE-2022-1586 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3] + +(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c) +Signed-off-by: Shinu Chandran +--- + src/pcre2_jit_compile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 493c96d..fa57942 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7188,7 +7188,7 @@ while (*cc != XCL_END) + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST && *cc == XCL_PROP) ++ if (*cc == PT_CLIST && cc[-1] == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb index 3e1b001c32..53277270d2 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.34.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb @@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ file://CVE-2022-1586.patch \ + file://CVE-2022-1586-regression.patch \ file://CVE-2022-1587.patch \ file://CVE-2022-41409.patch \ " From patchwork Tue Oct 10 14:14:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31933 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC891CD8C89 for ; Tue, 10 Oct 2023 14:14:49 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.92778.1696947287776586595 for ; Tue, 10 Oct 2023 07:14:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Hw6FXTAv; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1c5bf7871dcso42021665ad.1 for ; Tue, 10 Oct 2023 07:14:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947287; x=1697552087; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lMOjLP1M2xSDNne+vOs6OW1p42igPc8CZ4+zZUalB+Y=; b=Hw6FXTAvTz9JYpCUR0m528CWOKkg2OiX+vjOEWNeB0wPo+G5raXjXfZkd0phDhGef9 kXcA0uqFnI7RUKNNeeK2WoBfCaN37V9HfycxvC2r1ViBKpE1E42Ge0aU1qlmY+cBXU+O oAvLJrLXx4WTkjvfr1xG683ZxLlMrl1+mWdxyaq+ZBUKj74edVYna+cXV8LfE8e+3Wi1 ZVwLDvSIWHb4hJrHsYVZZj3P/grVQ5onp4IJWhGHTKGv67tAkWSQGg0+UYEv47LCUfMI lFuN0ZZAQ6mWpLaosVjMa/pTT1/a9XwhnQUIwDLVAkCPWkn2om64JT+FkYe3vk8E4Wxv ++Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947287; x=1697552087; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lMOjLP1M2xSDNne+vOs6OW1p42igPc8CZ4+zZUalB+Y=; b=ZWH7Vxn2sRIF+DlWKQ8TZ4ue+SMMiJaqkC3PtJm7F8mBgXIJuOm1AtdXV3/jWlL9ds 2oXkLa4dkA5Ja6wfU3dcr6kSk80J1bWPBLjyhZP1NVDud/YWmTV2o5+B8CO1cjg2JX+2 oB+a01banCApFh0kbsyfoPZmnuRTayGriXq48PZ3yizaB5u3zChM4eE3BMug1RR9oIQf 9OEKtHQkSpbbcFXI7HYudyv8tOxNUR4RzRXoSKyb/R2VLzGvvFMG852YA72ksgZWRvUC 2Ie3n2gGWJBq58qJYI8myoMQQnXure4y6yDpXnbhnbERVfukaUDVfQ9wT1BZQJE2KaFH Mciw== X-Gm-Message-State: AOJu0YyTQqUKB5SLynleJ4zSS7w7F7X831hrrwxD4caCTt3siy3gXdf2 w2jfuE5osmCwDkwySbt2c8d0l5mO8ln5RdROkJI= X-Google-Smtp-Source: AGHT+IEETG9EPuuLebb1wqfEA0X+MBJr1PA7cJufFu8jFJgY0AsJhW1Q5HcDtOHXJl16tW3Bk9o5bw== X-Received: by 2002:a17:902:d4c9:b0:1c8:9832:8278 with SMTP id o9-20020a170902d4c900b001c898328278mr8987865plg.48.1696947286884; Tue, 10 Oct 2023 07:14:46 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 08/11] ghostscript: Backport fix CVE-2023-43115 Date: Tue, 10 Oct 2023 04:14:25 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188906 From: Vijay Anusuri In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server). References: https://nvd.nist.gov/vuln/detail/CVE-2023-43115 Upstream commit: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../ghostscript/CVE-2023-43115.patch | 62 +++++++++++++++++++ .../ghostscript/ghostscript_9.52.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch new file mode 100644 index 0000000000..3acb8a503c --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch @@ -0,0 +1,62 @@ +From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: [PATCH] IJS device - try and secure the IJS server startup + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command line. This does at +least provide minimal security against malicious PostScript programs. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5] +CVE: CVE-2023-43115 +Signed-off-by: Vijay Anusuri +--- + devices/gdevijs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/devices/gdevijs.c b/devices/gdevijs.c +index 3d337c5..e50d69f 100644 +--- a/devices/gdevijs.c ++++ b/devices/gdevijs.c +@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device *from_dev) + static const char rgb[] = "DeviceRGB"; + gx_device_ijs *ijsdev = (gx_device_ijs *)dev; + ++ if (ijsdev->memory->gs_lib_ctx->core->path_control_active) ++ return_error(gs_error_invalidaccess); ++ + code = gx_default_finish_copydevice(dev, from_dev); + if(code < 0) + return code; +@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist) + if (code >= 0) + code = gsijs_read_string(plist, "IjsServer", + ijsdev->IjsServer, sizeof(ijsdev->IjsServer), +- dev->LockSafetyParams, is_open); ++ ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open); + + if (code >= 0) + code = gsijs_read_string_malloc(plist, "DeviceManufacturer", +-- +2.25.1 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index 0a2f9f5046..9712871e7f 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -44,6 +44,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2023-36664-pre1.patch \ file://CVE-2023-36664-1.patch \ file://CVE-2023-36664-2.patch \ + file://CVE-2023-43115.patch \ " SRC_URI = "${SRC_URI_BASE} \ From patchwork Tue Oct 10 14:14:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31934 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 013EFCD8C91 for ; Tue, 10 Oct 2023 14:14:50 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.92314.1696947289515875004 for ; Tue, 10 Oct 2023 07:14:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=UcLIMpe9; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1c5bf7871dcso42021995ad.1 for ; Tue, 10 Oct 2023 07:14:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947288; x=1697552088; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=1XLHSbPg9r2cH0UpavJT+TNxIe5at0inpRbMSxxvaBQ=; b=UcLIMpe9mzEyqwiZdRXooHYGs/G81BhUrvYGF1UWCuYOPXXt1YpZMqFwp9QwB8laEP f1tknrm95DccX5uHYwz3HXOtTLsCtstZso9ZIdIad8mxhUHPG2FEshGk3N9WVc+X8/F0 siT1+pN5UPlj38scaFe3PCs8FYnu8XLTj7OMqYKXrGn+CI1cWYe7oIF81F6DxK0jDStH P9ccbck6hNZbAMznKq39U8uLAnvhgqHu+8KknZkauITVDWuIlxXluqdDVA3bdnaAVjnb CaBRO0KVRaLpwltTGSEf/ZjPpzWP+bUptKw21OqA7g2TMfhFvZ3v8vahX2kAeMLvl/6Q uQzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947288; x=1697552088; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1XLHSbPg9r2cH0UpavJT+TNxIe5at0inpRbMSxxvaBQ=; b=mjTWnDRIElPIT5UKOROc8r1Kc7P9in0RUht85o8zyP6hhP44k0PF9nki78VW5wYr6r g5LgE+C1S6eUEiRY7D64lO1ZT9jBJAQv6mkmBMoZvfj3wzd3eexDS79dzdErUGkc5Y2N xgHNjiS7RSM5JKFLG+8vObDo4Ww7pgHD0GJLlPR2j4/alQQCg5aDQpeFjrSvKUHJs3yv 8hSh8HPt1Ooc7wF6GVhcbq5Pb/IlwJfvV6ScFYRXQLAlzwzJN/CYHB3GwPAhpiq67cYi /tsz8L0EFsKwVV1vCz13XfNnbZlvZMalRqJWZZWkil0i9Krq+rzcItjp/Qr9xErQlHiB +TVA== X-Gm-Message-State: AOJu0Yyv5gdlEPgT+Giw9KeIYPyzI4lklruHaicwXe9yBhRR46nXX3Pp ua9H/fvMkaw053BVNVn+Ispa3qA/KcmxCf03eos= X-Google-Smtp-Source: AGHT+IGgDvPj7FN4QDV135PN8M6sOK/s+q/z5A3ngYD8BIxnVALuAnAR82iYSreS7CuujKFKiGScfw== X-Received: by 2002:a17:903:54d:b0:1c6:1206:c5b0 with SMTP id jo13-20020a170903054d00b001c61206c5b0mr13721120plb.67.1696947288384; Tue, 10 Oct 2023 07:14:48 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:48 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/11] busybox: Backport CVE-2022-48174 fix Date: Tue, 10 Oct 2023 04:14:26 -1000 Message-Id: <634daf953e4bd8c6df3ee341b5e93cc81e1a620d.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:14:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188907 From: Marek Vasut There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2022-48174 CVE: CVE-2022-48174 Signed-off-by: Marek Vasut Signed-off-by: Steve Sakoman --- .../busybox/busybox/CVE-2022-48174.patch | 82 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.31.1.bb | 1 + 2 files changed, 83 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2022-48174.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 0000000000..dfba2a7e0f --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2022-48174.patch @@ -0,0 +1,82 @@ +From c18ebf861528ef24958dd99a146482d2a40014c7 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Mon, 12 Jun 2023 17:48:47 +0200 +Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216 + +function old new delta +evaluate_string 1011 1053 +42 + +CVE: CVE-2022-48174 +Upstream-Status: Backport [d417193cf37ca1005830d7e16f5fa7e1d8a44209] +Signed-off-by: Denys Vlasenko +--- + shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) + +diff --git a/shell/math.c b/shell/math.c +index af1ab55c0..79824e81f 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -578,6 +578,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t FAST_FUNC + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -585,10 +607,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ +@@ -657,6 +681,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + if (errno) + numstackptr->val = 0; /* bash compat */ + goto num; +-- +2.40.1 + diff --git a/meta/recipes-core/busybox/busybox_1.31.1.bb b/meta/recipes-core/busybox/busybox_1.31.1.bb index d062f0f7dd..94aa1467df 100644 --- a/meta/recipes-core/busybox/busybox_1.31.1.bb +++ b/meta/recipes-core/busybox/busybox_1.31.1.bb @@ -55,6 +55,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2021-42374.patch \ file://CVE-2021-42376.patch \ file://CVE-2021-423xx-awk.patch \ + file://CVE-2022-48174.patch \ file://0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch \ file://0002-nslookup-sanitize-all-printed-strings-with-printable.patch \ " From patchwork Tue Oct 10 14:14:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31937 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 041A8CD8C89 for ; Tue, 10 Oct 2023 14:15:00 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.92780.1696947290751190338 for ; Tue, 10 Oct 2023 07:14:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CPVf4EKK; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-690bccb0d8aso4394039b3a.0 for ; Tue, 10 Oct 2023 07:14:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947290; x=1697552090; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=tv7H8PA0jQifegX9fbOzkj1W7Cx5S6QlfqZJ9OfUDks=; b=CPVf4EKKnSZixIGftSUmh6AGEY3Gp7t6ZVgshsVnIa4ZyIwqNIA/PT8ppYN1NcyYSe sFPKSWwyAsaLv7k36lDrK3LgRrYAWPhSKLZQEUOooE3JCRUbauYaMg9n/qKJFUfR5m4d J+lv+QtaoAfxQxu2SbR4DiiMRRbyvX8V/Z9OiNfL9JipQ0YgDJ2eBjWLcm2wznUykYhV jbhRjRsM6ByBQd3AEO7V7LZuWTIgSUAlxxy/rOdsZ6nJC/2ZunecwAEkAZiOMLB0Sy6p 7j46/GHrGDq2JGPt2ceDljpv+eeWltycDVXrZRcF/oewi6DqbebyoUH1fYNiUr90biM2 1FEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947290; x=1697552090; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tv7H8PA0jQifegX9fbOzkj1W7Cx5S6QlfqZJ9OfUDks=; b=LIiQoxYqGPVWuANX3IkL7nsriEazAJJ+K5z0jGXWyZ4IFl+/INq+5f2l/G3rvbZhEd MBfOBDQEZW01g2WP0xveStXLzOtSFeBPaFMz6cUr1NQX8FlWVmidg3fOAB4G/1YB22C6 lRrXHCtWTXf5eXXGshNTaAlZMt8K/+hCz7lQhnbQLSF7ct7G/QpxOzj/gHEdQHbT1MeQ 3WAyrXOgmnclqRCCM/07etwPKi3AF8RUn2oNWEW2bscMebLUtQPpVla2JolBX9Q0sk9o niz8fzpn1hQwcVTVWaGZFggVplTMOcFUAsYzw1sb4VrSib1kVCYe82Bk7TnEHp3c5hNm 91YQ== X-Gm-Message-State: AOJu0YxV+XoBs2eZqzkTSpzKvmNFaS1azSBUuW2+HNn/eDwG2l8Gs84Y tRxlqqGXIUnuFCkxoaMquP8MAD4O7AV78cKXILE= X-Google-Smtp-Source: AGHT+IHQi3upMIZAl/5fiZwuXmMxfFvEucBWatRNyqnhu60pBRvIMHErYDRXywYbymJ6cdLDr8v4Cg== X-Received: by 2002:a05:6a21:62a:b0:164:e94b:d3ae with SMTP id ll42-20020a056a21062a00b00164e94bd3aemr15376045pzb.54.1696947289825; Tue, 10 Oct 2023 07:14:49 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/11] openssl: Upgrade 1.1.1v -> 1.1.1w Date: Tue, 10 Oct 2023 04:14:27 -1000 Message-Id: <79b29a5f77efab978f6a2918d02ee611638aef85.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:15:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188908 From: Sourav Pramanik https://www.openssl.org/news/openssl-1.1.1-notes.html Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) Signed-off-by: Sourav Kumar Pramanik Signed-off-by: Steve Sakoman --- .../openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_1.1.1v.bb => openssl_1.1.1w.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_1.1.1v.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1w.bb index d1222dc470..8a53b06862 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb @@ -26,7 +26,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0" +SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Tue Oct 10 14:14:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 31938 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16E01CD8C8E for ; Tue, 10 Oct 2023 14:15:00 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.92782.1696947292695341601 for ; Tue, 10 Oct 2023 07:14:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=GwhzKj1a; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1c9b95943beso4019425ad.1 for ; Tue, 10 Oct 2023 07:14:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1696947292; x=1697552092; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bTZmhwUyhN0bZUNEarlVH/+M40jGEVIwj/X3s1WPOqE=; b=GwhzKj1a98Vr6nIbOBUP+RDysRG3Ee/rdFI71Fb8hFTsRv7UgHdCKdCKWOo7KrWR47 ObnTwpSbgPIVRoFgrR8EFZbWtlYJUzvsQug6XMOuUy0mkhuy+4GCIDLjwNoopimX7cu9 yMjxVfVDWtPQ4S3pFU0EZ0yUoUC5ZZAGyKrSASHFHVg4Ok/ZDXxneU9VI9lSWaR+CMrX ri9KB4HmOaFvk229gGitmQjsdugIPz6CN+Nrp0YUBLDdPYY+qeLTuXpze/5W60N0Hv7C K0QoMiC2/gEg6095ZJez24xR/mrwAkw/TtwrKp1TYvG377YYQ2lw5uvUDRSpYxxUzZMS AxfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696947292; x=1697552092; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bTZmhwUyhN0bZUNEarlVH/+M40jGEVIwj/X3s1WPOqE=; b=eCfGrLuyG+TROixe4KFxYbAgRRc+XoqCePEBYXGH2cob9AFntSKc3bhlJLu8pduWP9 JxvXFrtNNH24lrDH2DkNbBI185ymdtCiwj4Df5apCfQ1XyQQDaaYzlPhppj4IGpiy0jK GTwzHzomJUUtTt3G0u9aS6AgAH0n+xuRFqkzGMAVkBciU35ny5+xLhieCyDqFH0PFRHU 95ivrwsnI/MlUxh/BVOL1j6JD8H4feeL1sdF0b32I69yYb42mnQmVNFY1QbSY5SMoy4l F4Pvdfwvmcoc3pdlR0UeHf4Uq3TnPlj8CZdBGhy193OLR878KatQ44iY97nehJiHXoun AcMA== X-Gm-Message-State: AOJu0Ywa3seNO6ihqm14qdjPT8bQE9PVb+BUOh24Xd3BnR4W9/rvBCUI zM4ei/p1MiIvEUjETLA7/f56/EaEnDHuKJGzCS8= X-Google-Smtp-Source: AGHT+IE7a6DasspyrP3IVuvnt3w9aQbSpCJJVCnJjhMZWkamj4NgbkkJvzQ4gFUjJUTngBrcAHsG0g== X-Received: by 2002:a17:902:a40f:b0:1c8:7800:a241 with SMTP id p15-20020a170902a40f00b001c87800a241mr17501559plq.0.1696947291379; Tue, 10 Oct 2023 07:14:51 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id b8-20020a170902d50800b001b81a97860asm11737610plg.27.2023.10.10.07.14.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 07:14:51 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/11] cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream backport Date: Tue, 10 Oct 2023 04:14:28 -1000 Message-Id: <0e167ef0eb7ac62ddb991ce80c27882863d8ee7c.1696946306.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 10 Oct 2023 14:15:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/188909 From: Marek Vasut Replace the original "Wrong CRC with ASCII CRC for large files" patch with upstream backport, and add additional fix on top of the same problem which upstream detected and fixed. Signed-off-by: Marek Vasut Signed-off-by: Steve Sakoman --- ...g-CRC-with-ASCII-CRC-for-large-files.patch | 39 --- ...-calculation-of-CRC-in-copy-out-mode.patch | 58 ++++ ...appending-to-archives-bigger-than-2G.patch | 312 ++++++++++++++++++ meta/recipes-extended/cpio/cpio_2.13.bb | 3 +- 4 files changed, 372 insertions(+), 40 deletions(-) delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch create mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch diff --git a/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch b/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch deleted file mode 100644 index 4b96e4316c..0000000000 --- a/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 77ff5f1be394eb2c786df561ff37dde7f982ec76 Mon Sep 17 00:00:00 2001 -From: Stefano Babic -Date: Fri, 28 Jul 2017 13:20:52 +0200 -Subject: [PATCH] Wrong CRC with ASCII CRC for large files - -Due to signedness, the checksum is not computed when filesize is bigger -a 2GB. - -Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2017-07/msg00004.html] -Signed-off-by: Stefano Babic ---- - src/copyout.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/copyout.c b/src/copyout.c -index 1f0987a..727aeca 100644 ---- a/src/copyout.c -+++ b/src/copyout.c -@@ -34,13 +34,13 @@ - compute and return a checksum for them. */ - - static uint32_t --read_for_checksum (int in_file_des, int file_size, char *file_name) -+read_for_checksum (int in_file_des, unsigned int file_size, char *file_name) - { - uint32_t crc; - char buf[BUFSIZ]; -- int bytes_left; -- int bytes_read; -- int i; -+ unsigned int bytes_left; -+ unsigned int bytes_read; -+ unsigned int i; - - crc = 0; - --- -2.7.4 - diff --git a/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch new file mode 100644 index 0000000000..2dfd348d7c --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch @@ -0,0 +1,58 @@ +From d257e47a6c6b41ba727b196ac96c05ab91bd9d65 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Fri, 7 Apr 2023 11:23:37 +0300 +Subject: [PATCH 3/4] Fix calculation of CRC in copy-out mode. + +* src/copyout.c (read_for_checksum): Fix type of the file_size argument. +Rewrite the reading loop. + +Original patch by Stefano Babic + +Upstream-Status: Backport [a1b2f7871c3ae5113e0102b870b15ea06a8f0e3d] +Signed-off-by: Marek Vasut +--- + src/copyout.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/src/copyout.c b/src/copyout.c +index 8b0beb6..f1ff351 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -34,27 +34,25 @@ + compute and return a checksum for them. */ + + static uint32_t +-read_for_checksum (int in_file_des, int file_size, char *file_name) ++read_for_checksum (int in_file_des, off_t file_size, char *file_name) + { + uint32_t crc; +- char buf[BUFSIZ]; +- int bytes_left; +- int bytes_read; +- int i; ++ unsigned char buf[BUFSIZ]; ++ ssize_t bytes_read; ++ ssize_t i; + + crc = 0; + +- for (bytes_left = file_size; bytes_left > 0; bytes_left -= bytes_read) ++ while (file_size > 0) + { + bytes_read = read (in_file_des, buf, BUFSIZ); + if (bytes_read < 0) + error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); + if (bytes_read == 0) + break; +- if (bytes_left < bytes_read) +- bytes_read = bytes_left; +- for (i = 0; i < bytes_read; ++i) ++ for (i = 0; i < bytes_read; i++) + crc += buf[i] & 0xff; ++ file_size -= bytes_read; + } + if (lseek (in_file_des, 0L, SEEK_SET)) + error (PAXEXIT_FAILURE, errno, _("cannot read checksum for %s"), file_name); +-- +2.39.2 + diff --git a/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch new file mode 100644 index 0000000000..c212bddf7d --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch @@ -0,0 +1,312 @@ +From 8513495ab5cfb63eb7c4c933fdf0b78c6196cd27 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Fri, 28 Apr 2023 15:23:46 +0300 +Subject: [PATCH 4/4] Fix appending to archives bigger than 2G + +* src/extern.h (last_header_start): Change type to off_t. +* src/global.c: Likewise. +* src/util.c (prepare_append): Use off_t for file offsets. + +Upstream-Status: Backport [0987d63384f0419b4b14aecdc6a61729b75ce86a] +Signed-off-by: Marek Vasut +--- + src/extern.h | 11 ++++----- + src/global.c | 2 +- + src/util.c | 66 ++++++++++++++++++++++++++-------------------------- + 3 files changed, 39 insertions(+), 40 deletions(-) + +diff --git a/src/extern.h b/src/extern.h +index 11ac6bf..12f14a9 100644 +--- a/src/extern.h ++++ b/src/extern.h +@@ -67,7 +67,7 @@ extern int ignore_devno_option; + + extern bool to_stdout_option; + +-extern int last_header_start; ++extern off_t last_header_start; + extern int copy_matching_files; + extern int numeric_uid; + extern char *pattern_file_name; +@@ -123,7 +123,7 @@ void field_width_error (const char *filename, const char *fieldname, + + /* copypass.c */ + void process_copy_pass (void); +-int link_to_maj_min_ino (char *file_name, int st_dev_maj, ++int link_to_maj_min_ino (char *file_name, int st_dev_maj, + int st_dev_min, ino_t st_ino); + int link_to_name (char const *link_name, char const *link_target); + +@@ -171,7 +171,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes); + void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename); + void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename); + void warn_if_file_changed (char *file_name, off_t old_file_size, +- time_t old_file_mtime); ++ time_t old_file_mtime); + void create_all_directories (char const *name); + void prepare_append (int out_file_des); + char *find_inode_file (ino_t node_num, +@@ -185,7 +185,7 @@ void set_new_media_message (char *message); + #ifdef HPUX_CDF + char *add_cdf_double_slashes (char *filename); + #endif +-void write_nuls_to_file (off_t num_bytes, int out_des, ++void write_nuls_to_file (off_t num_bytes, int out_des, + void (*writer) (char *in_buf, + int out_des, off_t num_bytes)); + #define DISK_IO_BLOCK_SIZE 512 +@@ -229,6 +229,5 @@ void delay_set_stat (char const *file_name, struct stat *st, + mode_t invert_permissions); + int repair_delayed_set_stat (struct cpio_file_stat *file_hdr); + void apply_delayed_set_stat (void); +- +-int arf_stores_inode_p (enum archive_format arf); + ++int arf_stores_inode_p (enum archive_format arf); +diff --git a/src/global.c b/src/global.c +index fb3abe9..5c9fc05 100644 +--- a/src/global.c ++++ b/src/global.c +@@ -114,7 +114,7 @@ int debug_flag = false; + + /* File position of last header read. Only used during -A to determine + where the old TRAILER!!! record started. */ +-int last_header_start = 0; ++off_t last_header_start = 0; + + /* With -i; if true, copy only files that match any of the given patterns; + if false, copy only files that do not match any of the patterns. (-f) */ +diff --git a/src/util.c b/src/util.c +index 4421b20..3be89a4 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -60,8 +60,8 @@ tape_empty_output_buffer (int out_des) + static long output_bytes_before_lseek = 0; + + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 2Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (output_is_special + && ( (output_bytes_before_lseek += output_size) >= 1073741824L) ) +@@ -106,7 +106,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush); + descriptor OUT_DES and reset `output_size' and `out_buff'. + If `swapping_halfwords' or `swapping_bytes' is set, + do the appropriate swapping first. Our callers have +- to make sure to only set these flags if `output_size' ++ to make sure to only set these flags if `output_size' + is appropriate (a multiple of 4 for `swapping_halfwords', + 2 for `swapping_bytes'). The fact that DISK_IO_BLOCK_SIZE + must always be a multiple of 4 helps us (and our callers) +@@ -188,8 +188,8 @@ tape_fill_input_buffer (int in_des, int num_bytes) + { + #ifdef BROKEN_LONG_TAPE_DRIVER + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (input_is_special + && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) +@@ -332,8 +332,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes) + + #ifdef BROKEN_LONG_TAPE_DRIVER + /* Some tape drivers seem to have a signed internal seek pointer and +- they lose if it overflows and becomes negative (e.g. when writing +- tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the ++ they lose if it overflows and becomes negative (e.g. when writing ++ tapes > 4Gb). Doing an lseek (des, 0, SEEK_SET) seems to reset the + seek pointer and prevent it from overflowing. */ + if (input_is_special + && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) ) +@@ -404,7 +404,7 @@ tape_toss_input (int in_des, off_t num_bytes) + + if (crc_i_flag && only_verify_crc_flag) + { +- int k; ++ int k; + for (k = 0; k < space_left; ++k) + crc += in_buff[k] & 0xff; + } +@@ -416,14 +416,14 @@ tape_toss_input (int in_des, off_t num_bytes) + } + + void +-write_nuls_to_file (off_t num_bytes, int out_des, +- void (*writer) (char *in_buf, int out_des, off_t num_bytes)) ++write_nuls_to_file (off_t num_bytes, int out_des, ++ void (*writer) (char *in_buf, int out_des, off_t num_bytes)) + { + off_t blocks; + off_t extra_bytes; + off_t i; + static char zeros_512[512]; +- ++ + blocks = num_bytes / sizeof zeros_512; + extra_bytes = num_bytes % sizeof zeros_512; + for (i = 0; i < blocks; ++i) +@@ -603,7 +603,7 @@ create_all_directories (char const *name) + char *dir; + + dir = dir_name (name); +- ++ + if (dir == NULL) + error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted")); + +@@ -637,9 +637,9 @@ create_all_directories (char const *name) + void + prepare_append (int out_file_des) + { +- int start_of_header; +- int start_of_block; +- int useful_bytes_in_block; ++ off_t start_of_header; ++ off_t start_of_block; ++ size_t useful_bytes_in_block; + char *tmp_buf; + + start_of_header = last_header_start; +@@ -697,8 +697,8 @@ inode_val_compare (const void *val1, const void *val2) + const struct inode_val *ival1 = val1; + const struct inode_val *ival2 = val2; + return ival1->inode == ival2->inode +- && ival1->major_num == ival2->major_num +- && ival1->minor_num == ival2->minor_num; ++ && ival1->major_num == ival2->major_num ++ && ival1->minor_num == ival2->minor_num; + } + + static struct inode_val * +@@ -706,10 +706,10 @@ find_inode_val (ino_t node_num, unsigned long major_num, + unsigned long minor_num) + { + struct inode_val sample; +- ++ + if (!hash_table) + return NULL; +- ++ + sample.inode = node_num; + sample.major_num = major_num; + sample.minor_num = minor_num; +@@ -734,7 +734,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num, + { + struct inode_val *temp; + struct inode_val *e = NULL; +- ++ + /* Create new inode record. */ + temp = (struct inode_val *) xmalloc (sizeof (struct inode_val)); + temp->inode = node_num; +@@ -1007,7 +1007,7 @@ buf_all_zeros (char *buf, int bufsize) + + /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to + create holes instead of writing blockfuls of zeros. +- ++ + Return the number of bytes written (including bytes in zero + regions) on success, -1 on error. + +@@ -1027,7 +1027,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + + enum { begin, in_zeros, not_in_zeros } state = + delayed_seek_count ? in_zeros : begin; +- ++ + while (nbytes) + { + size_t rest = nbytes; +@@ -1042,7 +1042,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + if (state == not_in_zeros) + { + ssize_t bytes = buf - start_ptr + rest; +- ++ + n = write (fildes, start_ptr, bytes); + if (n == -1) + return -1; +@@ -1091,8 +1091,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush) + if (n != 1) + return n; + delayed_seek_count = 0; +- } +- ++ } ++ + return nwritten + seek_count; + } + +@@ -1222,7 +1222,7 @@ set_perms (int fd, struct cpio_file_stat *header) + if (!no_chown_flag) + { + uid_t uid = CPIO_UID (header->c_uid); +- gid_t gid = CPIO_GID (header->c_gid); ++ gid_t gid = CPIO_GID (header->c_gid); + if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0) + && errno != EPERM) + chown_error_details (header->c_name, uid, gid); +@@ -1239,13 +1239,13 @@ set_file_times (int fd, + const char *name, unsigned long atime, unsigned long mtime) + { + struct timespec ts[2]; +- ++ + memset (&ts, 0, sizeof ts); + + ts[0].tv_sec = atime; + ts[1].tv_sec = mtime; + +- /* Silently ignore EROFS because reading the file won't have upset its ++ /* Silently ignore EROFS because reading the file won't have upset its + timestamp if it's on a read-only filesystem. */ + if (fdutimens (fd, name, ts) < 0 && errno != EROFS) + utime_error (name); +@@ -1297,7 +1297,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, + + /* This is a simplified form of delayed set_stat used by GNU tar. + With the time, both forms will merge and pass to paxutils +- ++ + List of directories whose statuses we need to extract after we've + finished extracting their subsidiary files. If you consider each + contiguous subsequence of elements of the form [D]?[^D]*, where [D] +@@ -1415,7 +1415,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed) + { + int rc; + mode_t mode = file_hdr->c_mode; +- ++ + if (!(file_hdr->c_mode & S_IWUSR)) + { + rc = mkdir (file_hdr->c_name, mode | S_IWUSR); +@@ -1438,10 +1438,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir) + { + int res; /* Result of various function calls. */ + int setstat_delayed = 0; +- ++ + if (to_stdout_option) + return 0; +- ++ + /* Strip any trailing `/'s off the filename; tar puts + them on. We might as well do it here in case anybody + else does too, since they cause strange things to happen. */ +@@ -1530,7 +1530,7 @@ arf_stores_inode_p (enum archive_format arf) + } + return 1; + } +- ++ + void + cpio_file_stat_init (struct cpio_file_stat *file_hdr) + { +-- +2.39.2 + diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index 86527da744..5ab567f360 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb @@ -10,7 +10,8 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ file://CVE-2021-38185.patch \ - file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \ + file://0003-Fix-calculation-of-CRC-in-copy-out-mode.patch \ + file://0004-Fix-appending-to-archives-bigger-than-2G.patch \ " SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"