From patchwork Sat Oct 21 15:28:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98D45C25B42 for ; Sat, 21 Oct 2023 15:28:47 +0000 (UTC) Received: from mail-oo1-f54.google.com (mail-oo1-f54.google.com [209.85.161.54]) by mx.groups.io with SMTP id smtpd.web11.81415.1697902121973414354 for ; Sat, 21 Oct 2023 08:28:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nUCatr2T; spf=softfail (domain: sakoman.com, ip: 209.85.161.54, mailfrom: steve@sakoman.com) Received: by mail-oo1-f54.google.com with SMTP id 006d021491bc7-57de6e502fcso1136504eaf.3 for ; Sat, 21 Oct 2023 08:28:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902121; x=1698506921; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=OOMFsIv+aWQIRsxN9BF+HC64BGzKudQ9Z0XPZzPb5Kw=; b=nUCatr2Typ46WIr94FUrHonsqZ+LNs+wbDhY76i6tKKp39uTpKx46H47YeF31sjEFu wdNjEM1RT8IgerHgElfzLR33TBDa6ruA1B8xnDmylReQr2toKVEAdkUWNLXwm++iqAlp aAx/qe2coZPSI+LWNVOfpd65Fu9Z6Ujx/uESfZKOPI4VSHpBpEek9vFgcw1qYCBmb/pt cn3Sj1tdDggLeUGUVQsxBucucZw0QaGzv6HDqFWjT2oemn51AeOm5tQvNyZV2N49wpAS tjogkWbJvNSb+3inVDXpUjJKTRZ4V1DMmKF8qwF6hCP4yvBdDJdRytbTKBndesqUqDCd aWBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902121; x=1698506921; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OOMFsIv+aWQIRsxN9BF+HC64BGzKudQ9Z0XPZzPb5Kw=; b=RSZNZUPrnjQ1yH4NQEqil3cNbeSd87lWYuHPBHTIk6ukjGcIYwo1D9T6zmWFPEXYTe M8Q+dVEN5liFAx8bkd2YsX/6D4wXOe261nPYmHz4L7UircnbR25kB2Zi4vhelLD85R7E 9gW8ShQYAXwJ4DkqsoWZ/MO16Wn2W9z8Ylne6R2eKfl7M18hFwl8CUXoJJXQACFKXyik lZRVM8DLL1SX2XYM2pbaKvqQubZ5jMjWNkdMZx+WLmk6cX5cr1V6pKnwwWK2Dm7NQdiV JY5tdeIIy/hP1ByyhrVOpTW8sf1HynBhHIpWeaHycXYePgjybaqwQcEqbV4hb5zoSrWi Cq8Q== X-Gm-Message-State: AOJu0YwdxEynXFVDxV8OP0VeKO8cO3pfncFPxG6Bp5ydqHjWg/gKPyOE maDatJRXf1sGuwvNdCPQz8YEuma/UjoCE+qNsZU= X-Google-Smtp-Source: AGHT+IG3YYff6yzocq191thMmbEs23B/G5wXW6qML5/PF78KRO/jXz+m+5Gy1+iKX0OPK7BWgZ13yQ== X-Received: by 2002:a05:6358:9146:b0:13a:4855:d885 with SMTP id r6-20020a056358914600b0013a4855d885mr6680079rwr.10.1697902120708; Sat, 21 Oct 2023 08:28:40 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/6] qemu: ignore RHEL specific CVE-2023-2680 Date: Sat, 21 Oct 2023 05:28:27 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189588 From: Lee Chee Yang Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5526eacb96..83bd5d7e67 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -125,6 +125,10 @@ CVE_CHECK_IGNORE += "CVE-2018-18438" # this bug related to windows specific. CVE_CHECK_IGNORE += "CVE-2023-0664" +# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 +# RHEL specific issue +CVE_CHECK_IGNORE += "CVE-2023-2680" + COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" COMPATIBLE_HOST:riscv32 = "null" From patchwork Sat Oct 21 15:28:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32710 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80165C07545 for ; Sat, 21 Oct 2023 15:28:47 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web11.81416.1697902123829160177 for ; Sat, 21 Oct 2023 08:28:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pzWdHemw; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-6ba54c3ed97so1738789b3a.2 for ; Sat, 21 Oct 2023 08:28:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902122; x=1698506922; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=46JrMa9lM9LgJ6Gn4AGcru/NeHEQ2fXsvsD7GYFbC1M=; b=pzWdHemwot2tW+4AlMboDhB9wMz40LgVc5HKDiO+MHHrrJN+7ll5xY+AKm0+dr9b2B UUbKDEqmp19ujsHbHefFJDUMJyjQwzR4bi2YZEokvCHQWzjlc/p5jYeMZDZUYJpdU8hn VydfUpPg6JGEg3Fq49QLikUROPA4RevOLwTqfg3GQDSK8vHq6PNsJ8TmorSGGG90IKhO 0jDpdOwpD7sspGJ05t3whdh8NWATskVA25vqSLip3NUgKg4qaYBKNV2XBlLL+agvYQ+x 00Dg3XvczV7s9PP3HWJ302Ki33Lm2LgS0w7sGKKNjpcjuAvWPoXeiMizFYwLQXlaqWm2 fEhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902122; x=1698506922; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=46JrMa9lM9LgJ6Gn4AGcru/NeHEQ2fXsvsD7GYFbC1M=; b=e7JSjDsL9arZxxCEFcWZtnoho4FeV3FqGXrOOzSqJna1Rrosf2k2JC0BHVVQChBwdv 8Avs4FklRmvGSf8wBEKFajN5LeRaAOhPY1p1cE/zb9aMHk6lhaaZyYhvBYvFBzNdqeOc dQBGgKyZDafKsT8OeGoAtQXNuxKCrog42ztOuhGY3YZ9BorjC1Oo7oDIH27Fd4RdCbyc hjjTk+vs6TWws5DV812aw4aldO1N0wYYys9IcJlRFtcBv2wY3wdl8RgQsyCjtrN5RUV7 AwUZrugC4mkpSFB2IFGeq9zvikOdpaWF3EukGwjzYG+Q+DfPNUs84wTN7Y6Fm2jjwxJo 0tsg== X-Gm-Message-State: AOJu0YwQqXZRrxiXtrnmC1bMwtgb27EiKM+pXAc/WCovhWMAG1M6bT9Y xp/0wYA9gxinO3aJJfK7e9vTf7g0MnONmLiXdNo= X-Google-Smtp-Source: AGHT+IFbHb0VgO6TY2Z3fVvVFf3MRpIGV3nI0R8e+d004a2HLoUHlww1u7xszYI/n/wezvDUolGQKw== X-Received: by 2002:a05:6a20:8e0e:b0:17d:dda5:3685 with SMTP id y14-20020a056a208e0e00b0017ddda53685mr954630pzj.27.1697902122536; Sat, 21 Oct 2023 08:28:42 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:42 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/6] gawk: backport Debian patch to fix CVE-2023-4156 Date: Sat, 21 Oct 2023 05:28:28 -1000 Message-Id: <0547b60d3485c2e3853e5a9e0a3e051882b283f3.1697901991.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189589 From: Vijay Anusuri Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/jammy-security & https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../gawk/gawk/CVE-2023-4156.patch | 28 +++++++++++++++++++ meta/recipes-extended/gawk/gawk_5.1.1.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch new file mode 100644 index 0000000000..bc157d6afb --- /dev/null +++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch @@ -0,0 +1,28 @@ +From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 +From: "Arnold D. Robbins" +Date: Wed, 3 Aug 2022 13:00:54 +0300 +Subject: [PATCH] Smal bug fix in builtin.c. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/jammy-security +Upstream commit https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212] +CVE: CVE-2023-4156 +Signed-off-by: Vijay Anusuri +--- + ChangeLog | 6 ++++++ + builtin.c | 5 ++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- gawk-5.1.0.orig/builtin.c ++++ gawk-5.1.0/builtin.c +@@ -957,7 +957,10 @@ check_pos: + s1++; + n0--; + } +- if (val >= num_args) { ++ // val could be less than zero if someone provides a field width ++ // so large that it causes integer overflow. Mainly fuzzers do this, ++ // but let's try to be good anyway. ++ if (val < 0 || val >= num_args) { + toofew = true; + break; + } diff --git a/meta/recipes-extended/gawk/gawk_5.1.1.bb b/meta/recipes-extended/gawk/gawk_5.1.1.bb index fe339805d0..0b0d0897bc 100644 --- a/meta/recipes-extended/gawk/gawk_5.1.1.bb +++ b/meta/recipes-extended/gawk/gawk_5.1.1.bb @@ -18,6 +18,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr" SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \ file://remove-sensitive-tests.patch \ file://run-ptest \ + file://CVE-2023-4156.patch \ " SRC_URI[sha256sum] = "6168d8d1dc8f74bd17d9dc22fa9634c49070f232343b744901da15fb4f06bffd" From patchwork Sat Oct 21 15:28:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32708 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 726C6C004C0 for ; Sat, 21 Oct 2023 15:28:47 +0000 (UTC) Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) by mx.groups.io with SMTP id smtpd.web11.81417.1697902125484784363 for ; Sat, 21 Oct 2023 08:28:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IxnY2EGk; spf=softfail (domain: sakoman.com, ip: 209.85.210.48, mailfrom: steve@sakoman.com) Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-6c63588b554so1190577a34.0 for ; Sat, 21 Oct 2023 08:28:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902124; x=1698506924; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cbglZcwR368AGT0nFCr5fLqVKHL1v6q49fhePQ2poG8=; b=IxnY2EGk6sDhEtxaDBPga5JEPTz/w9mfu+xwryAV0Gv86EU0eyroGjnpbMIeNyBG6A IpfgCyPmkTjCVLIeZxfM/Qsh+uBE9qo/EB7CkEdOmqwPZcaVzQQC4hKm491+8FMX7KOH a+kQyunN66P9VkIYewTnlif1jGrTEbAkjm11LtP58vgBmCe7BCPPsllI6tRBeATu29gA vXdSFn7eUxU3heht+H8yWVGl6RjRp3A3dDCiuW4UkdNqBFW1hvi45dF+wrWzKpxCikPY X9Q0/F1xRmjbuNX4Z0wPIl5wvSJtMqNdBrOye2Es35gNNHoeWRe0GWZR4N3nYhyRZmn4 9XQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902124; x=1698506924; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cbglZcwR368AGT0nFCr5fLqVKHL1v6q49fhePQ2poG8=; b=K8bVImwyz50VjXNQqvZvk5xMeDQUTDrzNslz+xiiA559YYv+JGAeGRuAfdnb7vzat1 oVwGIoyGJdg2j4dyhvDyc+oWiovCXpGAJTiPYkWztbAmDNRJFsIKdz0ZZ4pUsDM9YI7L t3yhEFiL271Wkg18eeAY4BZAZFGp5E8Cmg7TT7+E2nLf5uKoN9q3A/0jn/mVVOBAwXpu y7KrfwFGPJOiYbaNqdYvmzGpHgAWcP1vwBhexF9IyKgAUXhAYZ2jvoJPNE0ijCyITV3X JOowYPM+v3gjwFPTrRSMuaRSjDa3BI4RUjAK+0QJYfE2w1EFBmJguZnIqbt64qFpX6XR 7kTQ== X-Gm-Message-State: AOJu0YwFZOsXioJQUNHy5IHD3pQEnE1cqfern6DZWNFMX3s1NM2zpqsh Zl6DkqJdN5p0PRJqxFWdMNDk3Z8vXqQG60ZOAqE= X-Google-Smtp-Source: AGHT+IGMF4WrnoPXHOLv20vAOfyP/A4HDiY/CpMYzBg4DIPMRf8+gAuCU95DY2U1TmNrDHHkEGTLVg== X-Received: by 2002:a05:6830:25d6:b0:6b9:6481:8e33 with SMTP id d22-20020a05683025d600b006b964818e33mr7335044otu.13.1697902124332; Sat, 21 Oct 2023 08:28:44 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/6] zlib: patch CVE-2023-45853 Date: Sat, 21 Oct 2023 05:28:29 -1000 Message-Id: <6e265e44febbb6fdf85c7926b9a64b731c98d814.1697901991.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189590 From: Peter Marko Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * https://github.com/madler/zlib/pull/843 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../zlib/zlib/CVE-2023-45853.patch | 42 +++++++++++++++++++ meta/recipes-core/zlib/zlib_1.2.11.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib/CVE-2023-45853.patch diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch new file mode 100644 index 0000000000..ba3709249b --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch @@ -0,0 +1,42 @@ +From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 +From: Hans Wennborg +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. + +CVE: CVE-2023-45853 +Upstream-Status: Backport [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c] + +Signed-off-by: Peter Marko + +--- + contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/contrib/minizip/zip.c ++++ b/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb index f768b41988..d75474dcb6 100644 --- a/meta/recipes-core/zlib/zlib_1.2.11.bb +++ b/meta/recipes-core/zlib/zlib_1.2.11.bb @@ -12,6 +12,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://CVE-2018-25032.patch \ file://run-ptest \ file://CVE-2022-37434.patch \ + file://CVE-2023-45853.patch \ " UPSTREAM_CHECK_URI = "http://zlib.net/" From patchwork Sat Oct 21 15:28:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32712 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B40FC001E0 for ; Sat, 21 Oct 2023 15:28:57 +0000 (UTC) Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180]) by mx.groups.io with SMTP id smtpd.web11.81419.1697902127371386862 for ; Sat, 21 Oct 2023 08:28:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=dzHwQxqV; spf=softfail (domain: sakoman.com, ip: 209.85.166.180, mailfrom: steve@sakoman.com) Received: by mail-il1-f180.google.com with SMTP id e9e14a558f8ab-357cea96a40so182105ab.0 for ; Sat, 21 Oct 2023 08:28:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902126; x=1698506926; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=x40d6R5PuAANO8v+D7mJdMnik7xilYIiuzoSOIfAGUQ=; b=dzHwQxqVQyP+0HTaoW5DS6dBgzLZT5pnBXbhrqBxegUS9tJNtOWShjgua0OyGSK8KK sEMg9UDOiBhzvdVmUJBm6b3bEohI75Q1TV2CZnISeCwU+rGb/zHmYFb7jSGU/5Q1zlF+ A+aWUiHoMbs+TRW8qulyi2e+eY3STYS67iaciMFRGm4Eam7mZC7944OW8oBJEfucDasE F7kq/64ekvUj28ANZJYUpl/xydxdKcaNRlDBQ/+COxfSUCun0FulOC63mpiFVoTYVySw hKslzmfNj12ZhzgexZZNmJH/j1Jv1u/JcPfV5KvmbnZVaWaS2sPJ59Hz8Av96E975li9 RrPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902126; x=1698506926; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x40d6R5PuAANO8v+D7mJdMnik7xilYIiuzoSOIfAGUQ=; b=rb0jEasqS9ZThhHiM65Sfns6v9RN1iVg7LAg5Q2bLY3JIlmfEK1FNWPzB+xI54XfeO Z8e4g8B7J9bz8zVaeQjHNhvDrnwq36BbcMUdDP6MADZq+WdyuazM9/1H/Il6pCSMzVl/ Z93sohXIpOSFErwQzNlVFF91YcFid58JEDMD4MCBhdqT+CfSy49T4/vrPNV+kAgCMMlc s1HO2G42ii2F98JYbRrWDdMLS5S4Spi/6eSSW0aREqQbammNePVHryJF4iG3DxAVoKWb xrOia4h7pfex7+AWLiXqjCw4nZtOqUWnE25VyE2RtIekoCKtfrDaWtSvWU7FOPlh/8B3 4bvw== X-Gm-Message-State: AOJu0YyCtHcoVCjuULPdSE0gijGkyNAtYLutswENK57rRZwLtzwcZDfj hsSRqwG2nbuyahOoicQrx+L3RxxOmxp3hX8G1a4= X-Google-Smtp-Source: AGHT+IHPbU7DRiyBvZAS4/Pe7ms+nsjFV/+TuaaGkqw7JvjhmkIKsY7dXb2SBNZPhe6tP1ELIpv/Gg== X-Received: by 2002:a92:cb4a:0:b0:352:749b:720e with SMTP id f10-20020a92cb4a000000b00352749b720emr5085471ilq.12.1697902126261; Sat, 21 Oct 2023 08:28:46 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:45 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/6] linux-firmware: upgrade 20230625 -> 20230804 Date: Sat, 21 Oct 2023 05:28:30 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189591 From: Meenali Gupta License-Update: additional firmwares upgrade include fix for CVE-2023-20569 CVE-2022-40982 CVE-2023-20593 Changelog: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ References: https://nvd.nist.gov/vuln/detail/CVE-2023-20569 https://nvd.nist.gov/vuln/detail/CVE-2022-40982 https://nvd.nist.gov/vuln/detail/CVE-2023-20593 Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- ...{linux-firmware_20230625.bb => linux-firmware_20230804.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230625.bb => linux-firmware_20230804.bb} (99%) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb similarity index 99% rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb index 6765226b9d..4defab434d 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230804.bb @@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "57bf874056926f12aec2405d3fc390d9" +WHENCE_CHKSUM = "41f9a48bf27971b126a36f9344594dcd" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "87597111c0d4b71b31e53cb85a92c386921b84c825a402db8c82e0e86015500d" +SRC_URI[sha256sum] = "88d46c543847ee3b03404d4941d91c92974690ee1f6fdcbee9cef3e5f97db688" inherit allarch From patchwork Sat Oct 21 15:28:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32713 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92117C25B41 for ; Sat, 21 Oct 2023 15:28:57 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web10.81325.1697902129431833555 for ; Sat, 21 Oct 2023 08:28:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MiIIBMhk; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-6934202b8bdso1748718b3a.1 for ; Sat, 21 Oct 2023 08:28:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902128; x=1698506928; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SD98nbqs9q/5kQUtDooTuCU4oOGPbUX3OgUnavbryS0=; b=MiIIBMhklvHIr39H/qi7p/5bzE+xRPVVA7EnIxtvEykMzhcFrWHjfkTLpWuvt0I/cK HFWBGwPOM2KltVQMoIflcqf/SA9P2uk9C6kul8qFmcYsV+r+B9dQ1PgwmPvxGhKIa8Mj 6/MV1iJpr2UReuLNDBJoNXTIimnOehZTMZSLH5fVlJYYBl99RnpXsffqEE1qISrhtsa2 RPa3RUicKxeFOY2iqVtFJ6erayuRqZMMRF7mj7rv2qV6qyftmKThGVpwb7STUj31atBn OsRZRGXnzjXf4PXDdz7mHNwnw09TmtsTNUfHlNps9GTRDyJowZkF+HJru1yMbKbKpWcR W2kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902128; x=1698506928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SD98nbqs9q/5kQUtDooTuCU4oOGPbUX3OgUnavbryS0=; b=PfL1nnHHlfOrYOaYUtuHQZHQjkmzQhhjLtSc1Ky07QzhLpgagEroWonkbajbTOTHAf y7L9I53HsKRAnsi+d/uNvo6wQsP7XK24IyE6ZW+MMSZj02O1pNIrgPDTH2Jaa0amVTA5 GcYWMf/HBAVCBjRnhm80+Bwa1H1pLF4qSq/ZWw3LkD8zayv4JrKupEkqNq34el/F2SLF r+4JHoKtZpCLpfV+7wAajuGs7b2MFIS1L+Gpvw92wC4hwt1B9eTWITt4nvDQumrM57GC WsfsrCo6/f/sAskTmti50qgtRn/KTw9irb3NtN6wn6uuOy/jgRjUCeCNbeyU/y6CczD3 Ph8g== X-Gm-Message-State: AOJu0Yy9MxcTvjXTlIzehjYgEZBmNHcCQOB+8GFLrb6yZqnhgyNk1uV3 q8u9buDMkU2eZnSUnOONsXLYzGx16qYXMdGP6N8= X-Google-Smtp-Source: AGHT+IGVdGnuLX7t2uVe06nOoHh/8L3LRkwclVEWLNOfHw17xi+FIK041kFWPToY3gh+2SBYKiUVZQ== X-Received: by 2002:a05:6a20:7d86:b0:134:30a8:9df5 with SMTP id v6-20020a056a207d8600b0013430a89df5mr6265571pzj.43.1697902128138; Sat, 21 Oct 2023 08:28:48 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:47 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/6] libx11: Security Fix for CVE-2023-43785, CVE-2023-43786 and CVE-2023-43787 Date: Sat, 21 Oct 2023 05:28:31 -1000 Message-Id: <8175d023c203d524d011d8947f90fbd02786c6db.1697901991.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189592 From: Siddharth Doshi CVE's Fixed: CVE-2023-43785: libX11: out-of-bounds memory access in _XkbReadKeySyms() CVE-2023-43786: libX11: stack exhaustion from infinite recursion in PutSubImage() CVE-2023-43787: libX11: integer overflow in XCreateImage() leading to a heap overflow Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- .../xorg-lib/libx11/CVE-2023-43785.patch | 62 ++++++++++++++++++ .../xorg-lib/libx11/CVE-2023-43786-0001.patch | 41 ++++++++++++ .../xorg-lib/libx11/CVE-2023-43786-0002.patch | 45 +++++++++++++ .../xorg-lib/libx11/CVE-2023-43786-0003.patch | 51 +++++++++++++++ .../xorg-lib/libx11/CVE-2023-43787.patch | 63 +++++++++++++++++++ .../xorg-lib/libx11_1.7.3.1.bb | 5 ++ 6 files changed, 267 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch new file mode 100644 index 0000000000..64f8776cc9 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch @@ -0,0 +1,62 @@ +From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sun, 17 Sep 2023 14:19:40 -0700 +Subject: [PATCH] CVE-2023-43785: out-of-bounds memory access in + _XkbReadKeySyms() + +Make sure we allocate enough memory in the first place, and +also handle error returns from _XkbReadBufferCopyKeySyms() when +it detects out-of-bounds issues. + +Reported-by: Gregory James DUCK +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f] +CVE: CVE-2023-43785 +Signed-off-by: Siddharth Doshi +--- + src/xkb/XKBGetMap.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c +index 2891d21..31199e4 100644 +--- a/src/xkb/XKBGetMap.c ++++ b/src/xkb/XKBGetMap.c +@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + if (offset + newMap->nSyms >= map->size_syms) { + register int sz; + +- sz = map->size_syms + 128; ++ sz = offset + newMap->nSyms; ++ sz = ((sz + (unsigned) 128) / 128) * 128; + _XkbResizeArray(map->syms, map->size_syms, sz, KeySym); + if (map->syms == NULL) { + map->size_syms = 0; +@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + map->size_syms = sz; + } + if (newMap->nSyms > 0) { +- _XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], +- newMap->nSyms); ++ if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) &map->syms[offset], ++ newMap->nSyms) == 0) ++ return BadLength; + offset += newMap->nSyms; + } + else { +@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, xkbGetMapReply *rep) + newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp); + if (newSyms == NULL) + return BadAlloc; +- if (newMap->nSyms > 0) +- _XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms); ++ if (newMap->nSyms > 0) { ++ if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 0) ++ return BadLength; ++ } + else + newSyms[0] = NoSymbol; + oldMap->kt_index[0] = newMap->ktIndex[0]; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch new file mode 100644 index 0000000000..db5b7067aa --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch @@ -0,0 +1,41 @@ +From 204c3393c4c90a29ed6bef64e43849536e863a86 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:54:30 -0700 +Subject: [PATCH] CVE-2023-43786: stack exhaustion from infinite recursion in + PutSubImage() + +When splitting a single line of pixels into chunks to send to the +X server, be sure to take into account the number of bits per pixel, +so we don't just loop forever trying to send more pixels than fit in +the given request size and not breaking them down into a small enough +chunk to fix. + +Fixes: "almost complete rewrite" (Dec. 12, 1987) from X11R2 +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86] +CVE: CVE-2023-43786 +Signed-off-by: Siddharth Doshi +--- + src/PutImage.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/PutImage.c b/src/PutImage.c +index 857ee91..a6db7b4 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -914,8 +914,9 @@ PutSubImage ( + req_width, req_height - SubImageHeight, + dest_bits_per_pixel, dest_scanline_pad); + } else { +- int SubImageWidth = (((Available << 3) / dest_scanline_pad) +- * dest_scanline_pad) - left_pad; ++ int SubImageWidth = ((((Available << 3) / dest_scanline_pad) ++ * dest_scanline_pad) - left_pad) ++ / dest_bits_per_pixel; + + PutSubImage(dpy, d, gc, image, req_xoffset, req_yoffset, x, y, + (unsigned int) SubImageWidth, 1, +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch new file mode 100644 index 0000000000..e46b3a2b24 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch @@ -0,0 +1,45 @@ +From 73a37d5f2fcadd6540159b432a70d80f442ddf4a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 15:55:04 -0700 +Subject: [PATCH] XPutImage: clip images to maximum height & width allowed by + protocol + +The PutImage request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), same as the maximum dimensions of an X11 +Drawable, which the image is being copied to. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a] +CVE: CVE-2023-43786 +Signed-off-by: Siddharth Doshi +--- + src/PutImage.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/PutImage.c b/src/PutImage.c +index a6db7b4..ba411e3 100644 +--- a/src/PutImage.c ++++ b/src/PutImage.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include "Xlibint.h" + #include "Xutil.h" + #include ++#include + #include "Cr.h" + #include "ImUtil.h" + #include "reallocarray.h" +@@ -962,6 +963,10 @@ XPutImage ( + height = image->height - req_yoffset; + if ((width <= 0) || (height <= 0)) + return 0; ++ if (width > USHRT_MAX) ++ width = USHRT_MAX; ++ if (height > USHRT_MAX) ++ height = USHRT_MAX; + + if ((image->bits_per_pixel == 1) || (image->format != ZPixmap)) { + dest_bits_per_pixel = 1; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch new file mode 100644 index 0000000000..2f47fe0bf2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch @@ -0,0 +1,51 @@ +From b4031fc023816aca07fbd592ed97010b9b48784b Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:12:27 -0700 +Subject: [PATCH] XCreatePixmap: trigger BadValue error for out-of-range + dimensions + +The CreatePixmap request specifies height & width of the image as CARD16 +(unsigned 16-bit integer), so if either is larger than that, set it to 0 +so the X server returns a BadValue error as the protocol requires. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b] +CVE: CVE-2023-43786 +Signed-off-by: Siddharth Doshi +--- + src/CrPixmap.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/CrPixmap.c b/src/CrPixmap.c +index cdf3120..3cb2ca6 100644 +--- a/src/CrPixmap.c ++++ b/src/CrPixmap.c +@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. + #include + #endif + #include "Xlibint.h" ++#include + + #ifdef USE_DYNAMIC_XCURSOR + void +@@ -47,6 +48,16 @@ Pixmap XCreatePixmap ( + Pixmap pid; + register xCreatePixmapReq *req; + ++ /* ++ * Force a BadValue X Error if the requested dimensions are larger ++ * than the X11 protocol has room for, since that's how callers expect ++ * to get notified of errors. ++ */ ++ if (width > USHRT_MAX) ++ width = 0; ++ if (height > USHRT_MAX) ++ height = 0; ++ + LockDisplay(dpy); + GetReq(CreatePixmap, req); + req->drawable = d; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch new file mode 100644 index 0000000000..4b5cd694ab --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch @@ -0,0 +1,63 @@ +From 7916869d16bdd115ac5be30a67c3749907aea6a0 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:15:32 -0700 +Subject: [PATCH] CVE-2023-43787: Integer overflow in XCreateImage() leading to + a heap overflow + +When the format is `Pixmap` it calculates the size of the image data as: + ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +There is no validation on the `width` of the image, and so this +calculation exceeds the capacity of a 4-byte integer, causing an overflow. + +Signed-off-by: Alan Coopersmith + +Upstream-Status: Backport from [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0] +CVE: CVE-2023-43787 +Signed-off-by: Siddharth Doshi +--- + src/ImUtil.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/ImUtil.c b/src/ImUtil.c +index 36f08a0..fbfad33 100644 +--- a/src/ImUtil.c ++++ b/src/ImUtil.c +@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. + #include + #include + #include ++#include + #include "ImUtil.h" + + static int _XDestroyImage(XImage *); +@@ -361,13 +362,22 @@ XImage *XCreateImage ( + /* + * compute per line accelerator. + */ +- { +- if (format == ZPixmap) ++ if (format == ZPixmap) { ++ if ((INT_MAX / bits_per_pixel) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((bits_per_pixel * width), image->bitmap_pad); +- else ++ ROUNDUP((bits_per_pixel * width), image->bitmap_pad); ++ } else { ++ if ((INT_MAX - offset) < width) { ++ Xfree(image); ++ return NULL; ++ } ++ + min_bytes_per_line = +- ROUNDUP((width + offset), image->bitmap_pad); ++ ROUNDUP((width + offset), image->bitmap_pad); + } + if (image_bytes_per_line == 0) { + image->bytes_per_line = min_bytes_per_line; +-- +2.35.7 + diff --git a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb index 19687d546b..d783f60103 100644 --- a/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb +++ b/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb @@ -18,6 +18,11 @@ SRC_URI += "file://disable_tests.patch \ file://CVE-2022-3554.patch \ file://CVE-2022-3555.patch \ file://CVE-2023-3138.patch \ + file://CVE-2023-43785.patch \ + file://CVE-2023-43786-0001.patch \ + file://CVE-2023-43786-0002.patch \ + file://CVE-2023-43786-0003.patch \ + file://CVE-2023-43787.patch \ " SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989" From patchwork Sat Oct 21 15:28:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 32711 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80412C004C0 for ; Sat, 21 Oct 2023 15:28:57 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.81423.1697902131006344115 for ; Sat, 21 Oct 2023 08:28:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=tSQDgQfH; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6b20577ef7bso1478149b3a.3 for ; Sat, 21 Oct 2023 08:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1697902130; x=1698506930; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KYAws4fh5tg8x3EywH73UZu88qGOyeqqo3aIDJZkmQk=; b=tSQDgQfH1+D0pakN/SfMPyJPzVnz2HehP6rGkFYUrGFAWIUGxVnLVSYt1rXlZDv/YO mhH3bXAhbiC7oLeMKWNzg5tnLngCNwNsKs5NTN5Kl7ccnIVniGJ3q04cQkz0sRlDQPwM 83JqUVCtaValeWsa8IDuDqByhqly75FhFjbQl9xq95HVwJWtgtU2i51OWSX2Eed+Kcvd HVK2aZlyQxipPmzki+hP6vTX8biMmvwG20Qx6PQ8rtY/34Pf9QwXh/yc0vYJ6BJlMepo lcvYD6Fvt9Nkk3eJIOe1luFOkQIeRU9KeP92ScLrogrbtYA8EiPuOkFNDEIebP1pbDe0 mmOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697902130; x=1698506930; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KYAws4fh5tg8x3EywH73UZu88qGOyeqqo3aIDJZkmQk=; b=BMu2XWVjjiwRGt04PFnm/VXLvk59JnpJq0TRcTdxp9kyD4E5zUJwj+8ljb4GsFLzbR XlPy6IHSh5IX4i18SFiFnAiN6dfc7Pp4B5aGv3lAUzCE58TdGZzW6Lz6GIyreRzfQy0X j7WqpD9u95MaEYpo09pbfmgvl5EnVJRIqvepp870sapZ6I9NzwTrr+dmkYsYZ/VUvd5H OuZ0mmnhAC0bmIB7VP4pjbEGbwhOL9Oek8Ha+wWOvQsuhOTE1R/iiwEOYO9yYDFU6Jxs 6zNJj1AmtuYDwR2d9WAywpa9wzhuGtEu36XxISAERcko03c2uIGG1V2//8NTsV1N3Nv1 PCXg== X-Gm-Message-State: AOJu0Yygoh+pfzzPo9JVD8lc2BcyJdRCWmn+YsdUiu/T7UVgEpX2+E/P 1cArBrZ97pn/+jcsIGrPJwIuo5JauODNMsXLiy0= X-Google-Smtp-Source: AGHT+IFW3WIoaamN11Kq2ie3jgPHKcuXOR1bSB/7vj0Ned7rauXWBmlDnQEm99sPnKDYEyPBl6/RFQ== X-Received: by 2002:a05:6a20:9192:b0:15e:a8:6bb4 with SMTP id v18-20020a056a20919200b0015e00a86bb4mr4117309pzd.8.1697902130126; Sat, 21 Oct 2023 08:28:50 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id by2-20020a056a02058200b0058c1383fa8bsm2876515pgb.0.2023.10.21.08.28.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Oct 2023 08:28:49 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/6] vim: Upgrade 9.0.2009 -> 9.0.2048 Date: Sat, 21 Oct 2023 05:28:32 -1000 Message-Id: <7681436190354b5c5b6c3a82b3094badd81113de.1697901991.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 21 Oct 2023 15:28:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189593 From: Siddharth Doshi This includes CVE fix for CVE-2023-5535. Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5e06866692..58025828f2 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".2009" -SRCREV = "54844857fd6933fa4f6678e47610c4b9c9f7a091" +PV .= ".2048" +SRCREV = "982ef16059bd163a77271107020defde0740bbd6" # Do not consider .z in x.y.z, as that is updated with every commit UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"