From patchwork Thu Nov 30 12:28:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 35441 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D888C4167B for ; Thu, 30 Nov 2023 12:47:43 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web10.71282.1701348461299727853 for ; Thu, 30 Nov 2023 04:47:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=lEcGtTEs; spf=pass (domain: intel.com, ip: 192.198.163.10, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701348461; x=1732884461; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=2X7ujrw2z1ViuibXXMonSi5qhmcqwRI3qPMdgkwHZ9k=; b=lEcGtTEsKCJJkEPS2QLKho1AfRpwadS6H36+etOAmH9yFo2Cr0ho/vyu rYvvEsnBfKk+0U4rk5GD6e9iKq7ArUGuWPoUdxcE/iTB2T6Hgm4WWkuKE zYszcFMVsRAB9kZCGc2TMsf8PeXkuSX+gcLjf2skAiDpCZr2+/MG1BKL6 XI9wdVwPRnnaC1r5iq5Z+Jo+gEIMXo1QeRy5rJ24YsMUCcmmduklIsDZr IrqzuRvgZXJED4ziWF24lruW/T9m7htxBqo/o7w4kIkJKeKn8z0+1Qjte yGAd7k4gH7bQUFyXTmuhXn6TjHiQtT24mwfx0Vl/JjKbGDkPzzwW0Ht8w g==; X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="312352" X-IronPort-AV: E=Sophos;i="6.04,239,1695711600"; d="scan'208";a="312352" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Nov 2023 04:47:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="773054913" X-IronPort-AV: E=Sophos;i="6.04,239,1695711600"; d="scan'208";a="773054913" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmsmga007.fm.intel.com with ESMTP; 30 Nov 2023 04:47:39 -0800 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 1/2] python3-urllib3: update to v1.26.18 Date: Thu, 30 Nov 2023 20:28:00 +0800 Message-Id: <20231130122801.2596033-1-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Nov 2023 12:47:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191506 From: Tan Wen Yan https://github.com/urllib3/urllib3/releases/tag/1.26.18 Major changes in python3-urllib3 1.26.18: - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803) ( cherry picked from commit 74da05b63634c248910594456dae286947f33da5 ) Signed-off-by: Tan Wen Yan Signed-off-by: Steve Sakoman Signed-off-by: Lee Chee Yang --- .../{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%) diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb similarity index 86% rename from meta/recipes-devtools/python/python3-urllib3_1.26.17.bb rename to meta/recipes-devtools/python/python3-urllib3_1.26.18.bb index 57b166870aa..d384b5eb2f7 100644 --- a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb +++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c" -SRC_URI[sha256sum] = "24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21" +SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0" inherit pypi setuptools3 From patchwork Thu Nov 30 12:28:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Lee, Chee Yang" X-Patchwork-Id: 35442 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E5B1C46CA3 for ; Thu, 30 Nov 2023 12:47:43 +0000 (UTC) Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.10]) by mx.groups.io with SMTP id smtpd.web10.71282.1701348461299727853 for ; Thu, 30 Nov 2023 04:47:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.com header.s=Intel header.b=Q9YHj6Li; spf=pass (domain: intel.com, ip: 192.198.163.10, mailfrom: chee.yang.lee@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1701348462; x=1732884462; h=from:to:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=W/orPRK9nentRu5DkkUx4DPTbTb0ov5JYQ5+waf8xLw=; b=Q9YHj6Li980R6jUoNKDecw5/GGUuPLhAfwFghponjozRQFBflEHbhUs5 ln5d67g3pIv0xDZshkaxgvS4GZFkrt8EsZWdSVY6xtRHYWFTPimoll3An QrhUN6BBKGGx7obmN4zUlk97/aM4l7JGDftQVa9J4bEzxPorzeCRLI5t7 heqDFbDEJUde+BQp4twRtmpUrcE+SqCKqyhNef3q43B8mNBYw+AJX+4Iw wsw2cB7G2IrzXQekj/bgzj69l0zK2N7M+rChc+10o1QYDnzkTOcwUDb01 LkLGnWC9gO4n3ph7vANNi4B8262AyzQkjolxcX5v1KS9N3v51QLkYthAx w==; X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="312353" X-IronPort-AV: E=Sophos;i="6.04,239,1695711600"; d="scan'208";a="312353" Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmvoesa104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Nov 2023 04:47:41 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10909"; a="773054919" X-IronPort-AV: E=Sophos;i="6.04,239,1695711600"; d="scan'208";a="773054919" Received: from andromeda02.png.intel.com ([10.221.253.198]) by fmsmga007.fm.intel.com with ESMTP; 30 Nov 2023 04:47:40 -0800 From: chee.yang.lee@intel.com To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH 2/2] xwayland: fix CVE-2023-5367 Date: Thu, 30 Nov 2023 20:28:01 +0800 Message-Id: <20231130122801.2596033-2-chee.yang.lee@intel.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20231130122801.2596033-1-chee.yang.lee@intel.com> References: <20231130122801.2596033-1-chee.yang.lee@intel.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 30 Nov 2023 12:47:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/191507 From: Lee Chee Yang Signed-off-by: Lee Chee Yang --- .../xwayland/xwayland/CVE-2023-5367.patch | 85 +++++++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 4 +- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch new file mode 100644 index 00000000000..d4da1ecb4b2 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5367.patch @@ -0,0 +1,85 @@ +CVE: CVE-2023-5367 +Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a ] +Signed-off-by: Lee Chee Yang + + +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Tue, 3 Oct 2023 11:53:05 +1000 +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend + +The handling of appending/prepending properties was incorrect, with at +least two bugs: the property length was set to the length of the new +part only, i.e. appending or prepending N elements to a property with P +existing elements always resulted in the property having N elements +instead of N + P. + +Second, when pre-pending a value to a property, the offset for the old +values was incorrect, leaving the new property with potentially +uninitalized values and/or resulting in OOB memory writes. +For example, prepending a 3 element value to a 5 element property would +result in this 8 value array: + [N, N, N, ?, ?, P, P, P ] P, P + ^OOB write + +The XI2 code is a copy/paste of the RandR code, so the bug exists in +both. + +CVE-2023-5367, ZDI-CAN-22153 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer +--- + Xi/xiproperty.c | 4 ++-- + randr/rrproperty.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c +index 066ba21fba..d315f04d0e 100644 +--- a/Xi/xiproperty.c ++++ b/Xi/xiproperty.c +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + XIDestroyDeviceProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +diff --git a/randr/rrproperty.c b/randr/rrproperty.c +index c2fb9585c6..25469f57b2 100644 +--- a/randr/rrproperty.c ++++ b/randr/rrproperty.c +@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + RRDestroyOutputProperty(prop); + return BadAlloc; + } +- new_value.size = len; ++ new_value.size = total_len; + new_value.type = type; + new_value.format = format; + +@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, Atom type, + case PropModePrepend: + new_data = new_value.data; + old_data = (void *) (((char *) new_value.data) + +- (prop_value->size * size_in_bytes)); ++ (len * size_in_bytes)); + break; + } + if (new_data) +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index 6919ba421b4..94797be8e05 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -9,7 +9,9 @@ HOMEPAGE = "https://fedoraproject.org/wiki/Changes/XwaylandStandalone" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" -SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" +SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ + file://CVE-2023-5367.patch \ +" SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" UPSTREAM_CHECK_REGEX = "xwayland-(?P\d+(\.(?!90\d)\d+)+)\.tar"