From patchwork Sat Feb 26 15:41:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 4347 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2375DC433F5 for ; Sat, 26 Feb 2022 15:41:26 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web08.6844.1645890085290839891 for ; Sat, 26 Feb 2022 07:41:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=fMJKHCHR; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: akuster808@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id e13so7233144plh.3 for ; Sat, 26 Feb 2022 07:41:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=0bD/k+pOQJQFZECfA97U0RxNmzfN7YWH+s+aIwPgf3g=; b=fMJKHCHRozzVDRhYmlXjkPVOfUAquvgFu5iFWd2boNeBMaoinaCVHqiMzLvtXUcBC1 zPvoWbBXxg5/WwNYEuM6hoJqeRukdq0adyCeZzi/8LHCvpEzemkkHCjnfWvrFPsREpQ7 Zxi+0VPfaH9tUDP1+ujUxcdwy81OmQH734+80s7llgyL+CPuM5QtAFAeZymzolwFnLFS ea4lcWCqlJBP/GStq5bG4XGesewvTm1TNKio97xp3+CKAQPAIpqlGZdVXW9IxftFnLZc fOrZuCr9OINoclWPxsuWB59XgIX6w1m+MaOqcW6ezbhsXE48vyWWtKGgagcPGk0RYQtp incA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0bD/k+pOQJQFZECfA97U0RxNmzfN7YWH+s+aIwPgf3g=; b=NToOPEtbdjMkie85ZM1tGlgCAitWgbDj7AWf0gHOde7b/oOJzDsNgR/4RYpXY6ydmv 03ac0N7U8c5JDfSLKQ9XC4xrPGpD5ghfalQ/M3k8GZ/VUk4MK3AGm5w84kPsdZKIZ2FY GosXxRzUzIZWRPtvHV3fsDfOxgLBvNeC8J6rR2R6sozLNGKeSyNBORf9FTzlDvUUJVpW dRiudH8Q/wDve08IBsEeOSFZljUKkPWtUcmGjTeBYcovkF7OYuz7t/Cmp6Cj2jJ1Zfo4 ZSgaMX8iXSQgJGQiPNqeupaGFCoFCHs6/8SwDD4whNg4s1ffY5ZvcJZ3F4410q+CftgR Xl5g== X-Gm-Message-State: AOAM533oon8kgUa+QnKUcwLDekvHlXyc5C8wrxln329cPXq9yvltVzJL lqi643ESioB3FXg0umymL/C2vcZHLmY= X-Google-Smtp-Source: ABdhPJy03RPBUYzSu2ugL+MhNybimPIzTGiQbWGiLzQ09rI+1tjIxQ7QarwdCl9COokoGLO0+XZ9xQ== X-Received: by 2002:a17:90b:23c8:b0:1bc:6d87:2eae with SMTP id md8-20020a17090b23c800b001bc6d872eaemr8332202pjb.189.1645890084572; Sat, 26 Feb 2022 07:41:24 -0800 (PST) Received: from keaua.caveonetworks.com ([2601:202:4180:a5c0:5954:439:c7aa:7238]) by smtp.gmail.com with ESMTPSA id e14-20020a056a001a8e00b004e136d54a15sm7676075pfv.105.2022.02.26.07.41.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Feb 2022 07:41:24 -0800 (PST) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Subject: [dunfell 1/5] strongswan: Add fix of CVE-2021-45079 Date: Sat, 26 Feb 2022 07:41:15 -0800 Message-Id: <93a315f96f90915382532717cb2c356f995d66b2.1645890015.git.akuster808@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 26 Feb 2022 15:41:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/95545 From: Ranjitsinh Rathod Add a patch to fix CVE-2021-45079 Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Armin Kuster --- .../strongswan/files/CVE-2021-45079.patch | 156 ++++++++++++++++++ .../strongswan/strongswan_5.8.4.bb | 1 + 2 files changed, 157 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index b45b8074c4..8a5855fb87 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -13,6 +13,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ file://CVE-2021-41990.patch \ file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" From patchwork Sat Feb 26 15:41:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 4348 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FC03C433FE for ; Sat, 26 Feb 2022 15:41:27 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.6802.1645890086121871856 for ; Sat, 26 Feb 2022 07:41:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Op0EyV4W; spf=pass (domain: gmail.com, ip: 209.85.216.49, mailfrom: akuster808@gmail.com) Received: by mail-pj1-f49.google.com with SMTP id bx9-20020a17090af48900b001bc64ee7d3cso7462711pjb.4 for ; Sat, 26 Feb 2022 07:41:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=F8F3o9lIwhE04Bw+5M8h6XVYwzPGSXApEwq2twgMBFM=; b=Op0EyV4Wr0jfc5fc+7SJlMbM/y7gtcWE46XSD7+J6i4X5HqnE+gPN7tmMZHy07/jW4 zDDLWNcy924fm4jAptROn06sysr1nNWNv+BT4u5PLfctliwwpXX6SsShqzhLFSGu2HMK s4/uMsfqNEbjDjHFY6F4kfGWsZIBSjhhgD2hOBJmGq5Q28hW62dFSUuRkZczwve/ugIk SXRoNdYWFEVQ27GIf0sS0vhLfu9HsMDRiATQgTIXj4AeGfkz2pH8/ii2iNqh9Y83hSzp vOvZcHN6jGrOlGVOpLK6QY4WhJ6EcUBYIhuSrdHyUSCdKBZgNSrff+21qqH7jTxQfeIK CrKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=F8F3o9lIwhE04Bw+5M8h6XVYwzPGSXApEwq2twgMBFM=; b=gXMGl/s320xXYaiX482b5Ro4zO7EygRO2sqR5t0g5Dyz9XVUrKWmxLmUXKmMZ2QDtF GWnZ2/qE8nJEwCXlb3eGGqMdnpyNqc7fA3pDaMS1f4rQGCjASXAtVjgUNKX+3nmR+W5X zgvdm4Am+rtLiC1idWSaoR8WE3Wu4FPExzxvAH+iaz34x0UBiX7xxIm76Tb8l0RhxTnx qzq4BOZWadGldAz5pS7IM3mf/vb0yBKRyQKj/+Yfj4m6QpvKwxdfZvO63YtdVqTRIQPR aJvQE8S/SKJ0rnA89RkhQJkMK/KVkEsPHeD7qBBCKm8GuCUYQ/PhHBZd+/8UngZjJiYe Ocwg== X-Gm-Message-State: AOAM531xtKlLvd16p71KKkHWXCKO4ivNzgoFaLSFgbj851rGP/I/waoo 93ecnh5Vnx5aRsLp4X/1xjTpDzwMWRg= X-Google-Smtp-Source: ABdhPJzp2zIdKS8MSQsVCkJXCJY8CgklRSGDMIq7SPebOIeS9Jt0BAYywj1d5hbih2HRUQj9U/i/KA== X-Received: by 2002:a17:90a:7889:b0:1bc:7786:2aac with SMTP id x9-20020a17090a788900b001bc77862aacmr8473911pjk.47.1645890085461; Sat, 26 Feb 2022 07:41:25 -0800 (PST) Received: from keaua.caveonetworks.com ([2601:202:4180:a5c0:5954:439:c7aa:7238]) by smtp.gmail.com with ESMTPSA id e14-20020a056a001a8e00b004e136d54a15sm7676075pfv.105.2022.02.26.07.41.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Feb 2022 07:41:25 -0800 (PST) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Subject: [dunfell 2/5] nss: Add fix for CVE-2022-22747 Date: Sat, 26 Feb 2022 07:41:16 -0800 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 26 Feb 2022 15:41:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/95546 From: Ranjitsinh Rathod Add a patch to fix CVE-2022-22747 Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Armin Kuster --- .../nss/nss/CVE-2022-22747.patch | 63 +++++++++++++++++++ meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch new file mode 100644 index 0000000000..cccb73187d --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User John M. Schanck +# Date 1633990165 0 +# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0 +# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f +Bug 1735028 - check for missing signedData field r=keeler + +Differential Revision: https://phabricator.services.mozilla.com/D128112 + +Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0] +CVE: CVE-2022-22747 +Signed-off-by: Ranjitsinh Rathod + +diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc ++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc +@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage + unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02, + 0x05, 0xa0, 0x02, 0x30, 0x00}; + EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage( + reinterpret_cast(emptyCertPackage), + sizeof(emptyCertPackage))); + EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); + } ++ ++TEST_F(DecodeCertsTest, EmptySignedData) { ++ // This represents a PKCS#7 ContentInfo of contentType ++ // 1.2.840.113549.1.7.2 (signedData) with missing content. ++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, ++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, ++ 0x02, 0x00, 0x00, 0x05, 0x00}; ++ ++ EXPECT_EQ(nullptr, ++ CERT_DecodeCertFromPackage(reinterpret_cast(emptySignedData), ++ sizeof(emptySignedData))); ++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError()); ++} +diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c +--- a/nss/lib/pkcs7/certread.c ++++ b/nss/lib/pkcs7/certread.c +@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C + pkcs7Item) != SECSuccess) { + goto done; + } + + if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) { + goto done; + } + ++ if (contentInfo.content.signedData == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ goto done; ++ } ++ + rv = SECSuccess; + + certs = contentInfo.content.signedData->certificates; + if (certs) { + count = 0; + + while (*certs) { + count++; diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index f03473b1a0..8b59f7ea8f 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -40,6 +40,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://CVE-2020-12403_1.patch \ file://CVE-2020-12403_2.patch \ file://CVE-2021-43527.patch \ + file://CVE-2022-22747.patch \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" From patchwork Sat Feb 26 15:41:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 4349 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3A51AC433EF for ; Sat, 26 Feb 2022 15:41:28 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.6916.1645890087043646389 for ; Sat, 26 Feb 2022 07:41:27 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=URqMTWiU; spf=pass (domain: gmail.com, ip: 209.85.216.42, mailfrom: akuster808@gmail.com) Received: by mail-pj1-f42.google.com with SMTP id bx9-20020a17090af48900b001bc64ee7d3cso7462731pjb.4 for ; Sat, 26 Feb 2022 07:41:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=3oNpA/dNdx0h5Zit7Wyp2g7IdhsnA2J8+siYMf8iNsM=; b=URqMTWiU/s27NRhm8zI4DQXkvDAM72gV2YvzzTUNKAwu2K7kPzRD06bzMVLMin0xTX W5L+Y5W94/B8mDSw95nY2j6dxk1Bs93nf3UsNZLD8C2Gr5IUz1Y3v0S7zLEeLvCxzPap 2ImwuYx7fOetYWP9E6X/pcLhS9OX6O+znJu95z4FjuU71yQMtrQ++8J8kwbKhk3jVIu6 fEJLnJi5hYFSGP8y11vchiBcSTrB8wqNZ15cRXXE8+Vab64FwpCU7bBQKaZuQvBw07Op 486QtPOgBodiL+WNJG9gF866IbBlduom3s1tp+Qzw9ffIsh8ukkwQSYTt+d32CXyNo7h vVMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3oNpA/dNdx0h5Zit7Wyp2g7IdhsnA2J8+siYMf8iNsM=; b=gmRy7Wo44cq/uG33xSYLI6oLSKLV6/nRoENq7LTmgKkpdQ5JZAJbw5blUDQlgjQGi1 CSDH38HjYZfq/gBqIPKn69YQojhIhP45zdI9q9JonGChHqnpnkLyIRj9IA/2rCivF7jE N0xBM2zVEYDydHEIfamZ4IkkIHruNJt8vaOoqTGyAvVDXrmBGzDUpTWmWcKpYm9fqNNh Y9O131ZfZqEh+QJRerHSLIaECZj6Ko52b3qSh6puHrXRj77mynHskBF0DLElvKrAa2v4 zyo00Ck7ZaPVHBTnNolnQZrYoT2nkXtKaWl7HEFO1kOOGdefOkifd700h83T9j06ka47 9eKA== X-Gm-Message-State: AOAM533lUcwgdaWiDVyauLd3UbEt8ZHrMwaC7RrKYsUyOIjVJjpHE+cT Tld0XCBQpV/aQWtRrrA5ji7EQ0A2EMM= X-Google-Smtp-Source: ABdhPJx3D6yoF+loh4fG70n643mjJwWlXiIB5PXt6Q6SXvzi6+9oEIegTFYK26SGpOCbS1+S0zmKMA== X-Received: by 2002:a17:90a:880e:b0:1bc:650b:6be5 with SMTP id s14-20020a17090a880e00b001bc650b6be5mr8408663pjn.34.1645890086400; Sat, 26 Feb 2022 07:41:26 -0800 (PST) Received: from keaua.caveonetworks.com ([2601:202:4180:a5c0:5954:439:c7aa:7238]) by smtp.gmail.com with ESMTPSA id e14-20020a056a001a8e00b004e136d54a15sm7676075pfv.105.2022.02.26.07.41.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Feb 2022 07:41:26 -0800 (PST) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Subject: [dunfell 3/5] graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot Date: Sat, 26 Feb 2022 07:41:17 -0800 Message-Id: <7c519caa1a66e0a1e94217e10a78417555b93ad3.1645890015.git.akuster808@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 26 Feb 2022 15:41:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/95547 From: Christian Eggers The `dot` tool requires to be run once after installation in order to create its configuration file. The do_prepare_recipe_sysroot task uses do_populate_sysroot in order to prepare the recipe-sysroot-native. Package postinstall scripts are not executed for -native packages, but files under ${BINDIR}/postinst-* are. This is quite the same as graphviz-setup.sh does for nativesdk. The general idea has been taken from OECORE/meta/classes/pixbufcache.bbclass. Signed-off-by: Christian Eggers Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb index 81ab86c762..72e2f5cc7a 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb @@ -55,6 +55,17 @@ do_install_append_class-native() { install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir} } +# create /usr/lib/graphviz/config6 +graphviz_sstate_postinst() { + mkdir -p ${SYSROOT_DESTDIR}${bindir} + dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN} + echo '#!/bin/sh' > $dest + echo '' >> $dest + echo 'dot -c' >> $dest + chmod 0755 $dest +} +SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst" + PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo" FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/" From patchwork Sat Feb 26 15:41:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 4350 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23DBAC433F5 for ; Sat, 26 Feb 2022 15:41:29 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.6917.1645890087925769037 for ; Sat, 26 Feb 2022 07:41:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=ZApshL/b; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: akuster808@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id p17so7211022plo.9 for ; Sat, 26 Feb 2022 07:41:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=ion1eMiKN2CG3FeFd9OVdABKqnnk2w4HLYVCQ+lo5Y8=; b=ZApshL/bcuRQZwOO60x38JpWUKXGlek4CMo2ecOJHYpxH7VhK/eSh7SqrS4lx8Gcp8 Jxfrkqle3vPtBnanLDovA1n9uOONaEa34SM4FQ/4iF1dOM0fwVQv3DkXV98nrKblwmmo d8ijEDegddDGezinqb2/eUegOVSaCRDeIz8WWL3tCKmRqpDEhEQcBuTAsGUSSJNJzzgx ysdzELbRgercFnxIV+4Qnd3XsRXbllndzCMnt35VfeFMOlpMCifuUiK9DvWJY+0flytr 7GxHrajcFrtM6ceZ2mdKhph9VSWjk9jhCDbsdonzPsh7cvUJpGOSdKRM5jLawsKVSVLc B1jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ion1eMiKN2CG3FeFd9OVdABKqnnk2w4HLYVCQ+lo5Y8=; b=nHVv+Cyzc8X4sT/ckYNgDe2LN48kSIv3ezDkuANmP0E0G80C9POfHvVurMDRj6vRw8 axc4H4pGrQXeX8WQVV+mLnLVoaiWj2eDfUigTzBhZ3uNcO2ACAqgTQ+2Cy8NtBMvsKd8 vg8Hc/emejQNan8BGRbbNzqbzErFRf1sHODaRd54W7ILKyJnIB2Pzf+d7d62gc7j2vbl 6YLh1Iw9Jpc9PMFSejJUKukHxksHUiodwPP4X5mdKMr3AfZWjg9YjovFWO9/SBsuIYke qkuxZoeHCL+Nsp7ZD/9zrlbJI/MBwExMIOWer/YzlGH5PxNe3JFOsn0v18Bcmfu5lcbU 4k/g== X-Gm-Message-State: AOAM531D4UaDXtiny5f46YlcD3wx7rA3R65PBotixse2i3w0+6ae67+0 DNa2fDcHbmg9e9kLPHDM197keCPkmVY= X-Google-Smtp-Source: ABdhPJz1CDF72sKF+azWUTx/sr8dnFvBQ8MEhr+utNzHt7UFqfturn/DljGgLKjmZCu3g2Erb690PQ== X-Received: by 2002:a17:90a:b945:b0:1bc:94be:ec4a with SMTP id f5-20020a17090ab94500b001bc94beec4amr8386095pjw.124.1645890087314; Sat, 26 Feb 2022 07:41:27 -0800 (PST) Received: from keaua.caveonetworks.com ([2601:202:4180:a5c0:5954:439:c7aa:7238]) by smtp.gmail.com with ESMTPSA id e14-20020a056a001a8e00b004e136d54a15sm7676075pfv.105.2022.02.26.07.41.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Feb 2022 07:41:27 -0800 (PST) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Subject: [dunfell 4/5] cryptsetup: Add runtime dependency on lvm2-udevrules for udev Date: Sat, 26 Feb 2022 07:41:18 -0800 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 26 Feb 2022 15:41:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/95548 From: Kristian Klausen Without the udevrules cryptsetup luksOpen will be hanging with "Udev cookie 0xd4de0f6 (semid 5) waiting for zero". Signed-off-by: Khem Raj (cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201) Signed-off-by: Armin Kuster (cherry picked from commit 32f1d758a14bba35d67a75778ae747f1ff5c5482) [Minor fixup for Dunfell] Signed-off-by: Armin Kuster --- meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb index b9668eb099..3c1c8b0beb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb @@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't # recognized. From patchwork Sat Feb 26 15:41:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 4351 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23F18C433EF for ; Sat, 26 Feb 2022 15:41:30 +0000 (UTC) Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by mx.groups.io with SMTP id smtpd.web11.6804.1645890088855407727 for ; Sat, 26 Feb 2022 07:41:28 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=jH05hx6C; spf=pass (domain: gmail.com, ip: 209.85.216.43, mailfrom: akuster808@gmail.com) Received: by mail-pj1-f43.google.com with SMTP id ge19-20020a17090b0e1300b001bcca16e2e7so6578299pjb.3 for ; Sat, 26 Feb 2022 07:41:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=BT3L9aekpZcWUwD93D7yatXhZWLCWnzBTjaqQ0RrW6k=; b=jH05hx6CMsoVT50KRkcJU2t2iSdt3ICv2cX7HUIPvSE9ws7961m2bVkVkTSyspqXKd pl+FytyPHKiCS9YMrNfG0EXehmRszvwzFVt/h1/SZI1fUovYTcg/1c4mWEFB+Z72WFwc 9SWjxPlwACZbBxXVV8QywVuY5EatNfRA6vLDPrbxGC61XGuUlVSzRAH9igrmR3frCWf6 wxHaykD/AdG+SlkT8YKqaJcmWNk2dDpVBKfOzFaLdpfTXeLyKBJgVK5Ziezw1rK9+isv OF8pOJofXe0JHBpUelwFfRG400WrxqLY7fUbdoJxTkxkUkFjXyBwRhZtaqigYY3dxQrX uWLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BT3L9aekpZcWUwD93D7yatXhZWLCWnzBTjaqQ0RrW6k=; b=5KD6iHcyyUB1SQCO4TTZmmB335HhrlHShI2nV4x7faBgywT7tbefXdEippFUuDC38A T7sGsGyG/i2km/8TIpZUy4LXuDP5+zim3fAClWlJG2yQuqsxA9h22BK3iDuJa6m8rBT+ +oDLrtPKsRq+LwQG4yFsrvVWbjLJyfeMDNIgxNlqzvRv+Ap/KGYI+gSZtu7gw3PD6qSx 5e7ndMK8l6ToqO8ml6/O9q42Z7mZw/bg0NnWcQ+C4dgFlIQnQrty4B1qlPRgpA7rcnZz Isqn7B0zfOIV+GuSM+4aOzIGGyPwB48RceDeoZh32ea1WYpQKCRCP35p1qL084kVCdUD jqPg== X-Gm-Message-State: AOAM533CEySaH6Ce+5p8XdHPyhxpUgrhY5e6if797j+nG4YBujDUsQ76 n5BTlu1AfFilNW4qnRhd1CQgVJ2e+Ok= X-Google-Smtp-Source: ABdhPJzuUMeu3XYXyXv+VYH1DwgOXwhf30X0g2t7MA9lbH8W9jg8kxDpIunL4s0Rsz4kQixp2CesIg== X-Received: by 2002:a17:90a:7e95:b0:1bc:5d56:8d4c with SMTP id j21-20020a17090a7e9500b001bc5d568d4cmr8293362pjl.93.1645890088025; Sat, 26 Feb 2022 07:41:28 -0800 (PST) Received: from keaua.caveonetworks.com ([2601:202:4180:a5c0:5954:439:c7aa:7238]) by smtp.gmail.com with ESMTPSA id e14-20020a056a001a8e00b004e136d54a15sm7676075pfv.105.2022.02.26.07.41.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Feb 2022 07:41:27 -0800 (PST) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Subject: [dunfell 5/5] protobuf: Fix CVE-2021-22570 Date: Sat, 26 Feb 2022 07:41:19 -0800 Message-Id: <0722ff6f021df91542b5efa1ff5b5f6269f66add.1645890015.git.akuster808@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 26 Feb 2022 15:41:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/95549 From: Sana Kazi Fix CVE-2021-22570. Link: https://koji.fedoraproject.org/koji/buildinfo?buildID=1916865 Link: https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch Remove first and second hunk because the second argument in InsertIfNotPresent() function is of type const char* const& but the first and second hunk makes the type of second argument as const string which is not compatible with the type of second argument in InsertIfNotPresent(). Signed-off-by: Sana Kazi Signed-off-by: Sana Kazi Signed-off-by: Armin Kuster --- .../protobuf/protobuf/CVE-2021-22570.patch | 64 +++++++++++++++++++ .../protobuf/protobuf_3.11.4.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0000000000..be3180181a --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,64 @@ +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 7af37c57f3..03c4e2b516 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index d2f22ba6b8..55d56ff08e 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://0001-protobuf-fix-configure-error.patch \ file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \ file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \ + file://CVE-2021-22570.patch \ " S = "${WORKDIR}/git"