From patchwork Fri Jan 26 14:20:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38356 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69A70C48260 for ; Fri, 26 Jan 2024 14:21:12 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.17136.1706278862639591412 for ; Fri, 26 Jan 2024 06:21:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=e0r7KXT1; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1d8a66a2976so3484645ad.2 for ; Fri, 26 Jan 2024 06:21:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278862; x=1706883662; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=s5cGfHxREbePcxWdvW5ZTwedQGQAx4O7GTWgduO5ipc=; b=e0r7KXT1Qtm01tbswQvImTnL2EXMvSJZEqM73XKrGUoJkL1m74kj9WaKa9EmEPzskg 4U3q17yt4B03W8VlkQKOnpTfVAHbA0DVTBbI8eOgVcuJE4DLlNn8XNyAvip6UQWLskQ8 xZVS3wy6t/iwj4rBUuBkAtdgR05o8YHzF/L73qx0KZmOM4r19LQQ/wnZZsHwSlPkiegA aWmHEEISxG3RFytCOTHGhrkm4ge4sYYeyrS6+U58GINEi6ptqMgZ5fhmWptCnj6Y3a/L /Yz/eeVZkoPX4dlj5D+rwdXjwIm/e1D8jhXnnEMYeeSn5AIxzVLE+L3KnJMODObGhz9j TpKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278862; x=1706883662; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s5cGfHxREbePcxWdvW5ZTwedQGQAx4O7GTWgduO5ipc=; b=noHQ2YAXarLMSke5zQ99/dOP761F5b4y30JvgNWOLLsJy40YeWmNCQXps1TWOSiMpU 2vBsq2gY5HfBiromdz0cWiw9Sq2U1T2Z6R5rWrdg3jbDcArf7U8l27l+gD/O+5RSHGl2 ByeLDyqDvOIxiexL9LT2hf6E6F8SJsNIkGEcgJPReBcL7oeXjEJXcjx4CClgGFMosMX8 3+ku8IAIEtrwI9iuQ10xgYkpZMjtQQVXxR3FOWSohshkLu3hZe0BDybkxfd5GZTMmauF HFx0B84kApafQEFUef3Ed5vr66Ypx0b8AvdJzsQs+E7/7a8yl5mI/gc6+Ppk0S/ZkFqY 0UPw== X-Gm-Message-State: AOJu0YzAjfkxqHQv2oQDG4Ev2b9BGaqTBIx9rL25pD4CQ9mMbyafD9ZA prir9PXfv42VSNYZnE3Bhb0UJIbp7TE4qDEtucBos5vb6SQn5Vl/I9Y5XEL6CVRvgw9Uh7VOmiq FMBM= X-Google-Smtp-Source: AGHT+IG2tVEBdW5iJQruvk6rs7I3/ecCzOByJc1bN/0ozRgSjRczYQ3CzkHtKsHIqqx2D9Lpgp+rJQ== X-Received: by 2002:a17:90a:9501:b0:28e:47dc:325e with SMTP id t1-20020a17090a950100b0028e47dc325emr1035443pjo.61.1706278861665; Fri, 26 Jan 2024 06:21:01 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:01 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385 Date: Fri, 26 Jan 2024 04:20:34 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194375 From: Ranjitsinh Rathod OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. This patch fixes the above issue Link: http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.11.debian.tar.xz Link: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Steve Sakoman --- .../openssh/openssh/CVE-2023-51385.patch | 95 +++++++++++++++++++ .../openssh/openssh_8.2p1.bb | 1 + 2 files changed, 96 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch new file mode 100644 index 0000000000..0ba8c312d0 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch @@ -0,0 +1,95 @@ +From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 18 Dec 2023 14:47:44 +0000 +Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters + +This makes ssh(1) refuse user or host names provided on the +commandline that contain most shell metacharacters. + +Some programs that invoke ssh(1) using untrusted data do not filter +metacharacters in arguments they supply. This could create +interactions with user-specified ProxyCommand and other directives +that allow shell injection attacks to occur. + +It's a mistake to invoke ssh(1) with arbitrary untrusted arguments, +but getting this stuff right can be tricky, so this should prevent +most obvious ways of creating risky situations. It however is not +and cannot be perfect: ssh(1) has no practical way of interpreting +what shell quoting rules are in use and how they interact with the +user's specified ProxyCommand. + +To allow configurations that use strange user or hostnames to +continue to work, this strictness is applied only to names coming +from the commandline. Names specified using User or Hostname +directives in ssh_config(5) are not affected. + +feedback/ok millert@ markus@ dtucker@ deraadt@ + +OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9 + +CVE: CVE-2023-51385 +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a] +Signed-off-by: Ranjitsinh Rathod +Comment: Hunks refreshed to apply cleanly + +--- + ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/ssh.c b/ssh.c +index 35c48e62d18..48d93ddf2a9 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs + } + } + ++static int ++valid_hostname(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL || ++ isspace((u_char)s[i]) || iscntrl((u_char)s[i])) ++ return 0; ++ } ++ return 1; ++} ++ ++static int ++valid_ruser(const char *s) ++{ ++ size_t i; ++ ++ if (*s == '-') ++ return 0; ++ for (i = 0; s[i] != 0; i++) { ++ if (strchr("'`\";&<>|(){}", s[i]) != NULL) ++ return 0; ++ /* Disallow '-' after whitespace */ ++ if (isspace((u_char)s[i]) && s[i + 1] == '-') ++ return 0; ++ /* Disallow \ in last position */ ++ if (s[i] == '\\' && s[i + 1] == '\0') ++ return 0; ++ } ++ return 1; ++} ++ + /* + * Main program for the ssh client. + */ +@@ -1069,6 +1104,10 @@ main(int ac, char **av) + if (!host) + usage(); + ++ if (!valid_hostname(host)) ++ fatal("hostname contains invalid characters"); ++ if (options.user != NULL && !valid_ruser(options.user)) ++ fatal("remote username contains invalid characters"); + host_arg = xstrdup(host); + + /* Initialize the command to execute on remote host. */ diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index eb3089cd8a..9d6cf7da6c 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2023-38408-11.patch \ file://CVE-2023-38408-12.patch \ file://CVE-2023-48795.patch \ + file://CVE-2023-51385.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" From patchwork Fri Jan 26 14:20:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38355 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 687C4C47422 for ; Fri, 26 Jan 2024 14:21:12 +0000 (UTC) Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com [209.85.215.178]) by mx.groups.io with SMTP id smtpd.web11.17137.1706278864714268669 for ; Fri, 26 Jan 2024 06:21:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Jn1MyGdR; spf=softfail (domain: sakoman.com, ip: 209.85.215.178, mailfrom: steve@sakoman.com) Received: by mail-pg1-f178.google.com with SMTP id 41be03b00d2f7-5ceb3fe708eso219962a12.3 for ; Fri, 26 Jan 2024 06:21:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278864; x=1706883664; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RXv+SJNZjml8jyto5WletHgvZTiUKCX8ZQ/kISssg2o=; b=Jn1MyGdRk4dUf5LyMeuY4J6W222AU3UiI5YmrNOlRNJEm1y36my1jiWKLZ68gs3Xks fIzEd1DRhjdb5HZnBZZVRaYKRkprBAn3f5DB8+J+HO5+YkFw27k7xcC46vhsF9gIdOdt n7Rq2KqJz+imIMKVSqOYIpvUZeNNPUGWW2PH/N/qkmuOXzBpprfoGCubsQmnLq8jfVHS FaLZPBXFnXoKYMxW3FXsPXoMTzvtRgRu61o3GjHmAJ4ehN8fOGKV/MPk5EdJZRfTY7so 9AcmNVB7iqAEWMe3pK88iGdaV3txuwtaA4KFJvJYItw+uIFIvuVab8iZpY1/M8Am9MKJ mGww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278864; x=1706883664; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RXv+SJNZjml8jyto5WletHgvZTiUKCX8ZQ/kISssg2o=; b=aASdYPMajuEEJrrT1f5jhmJHktcalORgc7U2Jh3vAYticyhRB22IhQd7USy7es/n20 Ptl2Bq1Isyi2//qC1BtMBWZz9fiIXYDlnF7vJ8j/9bDZjTgglyDXMHvL7a1SdQ/oRP+F QGnS3U/rfwAUoKYekhUulnEIBPAKZcdBl+V4+tHAqNvIp2SFBqomUdXR/BfaYM0l1Fnm XF570tj3DLbUmYxzelBahFNPQKhdpsMvuplih1N0hD/TIq6etk+drS+kpZKxL/5ED42G TbIkkA3KFi+Wfkzsskz/GFZn0yRWZFiiDTEeyHi4eAdzjkDer39Vb4OkFkK12I34t2K3 qyIw== X-Gm-Message-State: AOJu0YyTsAOtUD5NZ2Vx2vyPN711+/MesHC4JY40O5OAcQvTkZ6VpadD s1lnwpQOaSU6L4reIxZ0Hbbgf3DfZ3PPlskwhD4vLIC3qR4idFV6TRZai51SuDi7zLqsmnvP9Qb 2rck= X-Google-Smtp-Source: AGHT+IE7W2UiAZcoWu7IjHZ9atRMFNJ//hS9BfpewCgUnsScfe22f1qEZZgot4ckWM2+Ir4Zk3S6mQ== X-Received: by 2002:a17:90b:4396:b0:28c:b654:ad4f with SMTP id in22-20020a17090b439600b0028cb654ad4fmr1641763pjb.17.1706278863678; Fri, 26 Jan 2024 06:21:03 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:03 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/8] sqlite3: Backport fix for CVE-2023-7104 Date: Fri, 26 Jan 2024 04:20:35 -1000 Message-Id: <2a418c0a55d0d4e9a70a41c9a7cfea97ec0edee9.1706278642.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194376 From: Vijay Anusuri Backport https://sqlite.org/src/info/0e4e7a05c4204b47 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../sqlite/files/CVE-2023-7104.patch | 46 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 47 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch new file mode 100644 index 0000000000..01ff29ff5e --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch @@ -0,0 +1,46 @@ +From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001 +From: dan +Date: Thu, 7 Sep 2023 13:53:09 +0000 +Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset. + +Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47] +CVE: CVE-2023-7104 +Signed-off-by: Vijay Anusuri +--- + sqlite3.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/sqlite3.c b/sqlite3.c +index 972ef18..c645ac8 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -203301,15 +203301,19 @@ static int sessionReadRecord( + } + } + if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){ +- sqlite3_int64 v = sessionGetI64(aVal); +- if( eType==SQLITE_INTEGER ){ +- sqlite3VdbeMemSetInt64(apOut[i], v); ++ if( (pIn->nData-pIn->iNext)<8 ){ ++ rc = SQLITE_CORRUPT_BKPT; + }else{ +- double d; +- memcpy(&d, &v, 8); +- sqlite3VdbeMemSetDouble(apOut[i], d); ++ sqlite3_int64 v = sessionGetI64(aVal); ++ if( eType==SQLITE_INTEGER ){ ++ sqlite3VdbeMemSetInt64(apOut[i], v); ++ }else{ ++ double d; ++ memcpy(&d, &v, 8); ++ sqlite3VdbeMemSetDouble(apOut[i], d); ++ } ++ pIn->iNext += 8; + } +- pIn->iNext += 8; + } + } + } +-- +2.25.1 + diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index ef12ef0db2..0e7bcfa5a7 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -17,6 +17,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-35525.patch \ file://CVE-2020-35527.patch \ file://CVE-2021-20223.patch \ + file://CVE-2023-7104.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" From patchwork Fri Jan 26 14:20:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38358 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7641EC47DDF for ; Fri, 26 Jan 2024 14:21:12 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web11.17140.1706278867262376051 for ; Fri, 26 Jan 2024 06:21:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=xvpxqdHi; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-2949dd860f8so146950a91.2 for ; Fri, 26 Jan 2024 06:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278866; x=1706883666; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=A3ZE3kOZuBNwFFFT5DbhAxQUgnl2FUlOC9HTp7nx+8I=; b=xvpxqdHihQXDV1sMGXylRu1/1JupZTqawxtI+bzzy/yFSO1wgc+9Ez2cFpGPiMSJwt v+6dYOKFW8WNAutXzuVa+7BWGB1sQm7ib9ujYC8RE1yx/5n4x52l2kJkkf9DAnxhrhJz VR9dyQwlj18e+rN9SUzalCH1CQIUKYgJVlC138V660bQyNJDq64WCHeQgPhHnn9vxOiM tSZU6H4c1oxvTfDLzYZlc/txNJENleu+FhPoW6ZNbtrRbYTN2Pf1d0WsGmw3z6o4EVPp 7k7wxiQt5XTBWn3lHE51I4oMgLpIIfjg25UnXJRaKh+Za/fR/C33+UEhbPwG8mCti7TF JNSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278866; x=1706883666; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A3ZE3kOZuBNwFFFT5DbhAxQUgnl2FUlOC9HTp7nx+8I=; b=DObYU1dJAyBR5QKNsLIdVITtHvFSrjxIVoBqYIjNSkKenlLmYmnDR6ubY/JCQ+1Vb6 MXmsihVSo80/ZjXX5vW/SM16NCPlGL8qGm/MhXnB45VhfX3MkhlBQOoe7KCWs8unHRFy 1rakdioGi0lN9gRD8nfU+S23RhI7qCt82Lq9PC/Wno5GKE0whncoec7Lha9vXmIhZ3no kMf3zEMAxj7VJGkKWZcNaecCBFet2ag2bqC5GRZrLCMJgrs5DzdtJmzL4XcLIM++l+J2 9eM3HXNluVkRMsaLV7kEeQehhT6Iw8Fjwt7UAUBXSX8QsEOOhaqKrHvPUWeN+HJj7Ewv xg8g== X-Gm-Message-State: AOJu0YxnN9HqAHSHz5VQPg7+tJyaIAYzAYBgwDAp3gbuUH4JCqTXxlAX AHg4GpuwQ4tfk02duiO5QWMOg8bL5+uwig+ghOiFL/2noRsVlpJhdjVxbhSDJ83WPhMW+TZyv25 G8zA= X-Google-Smtp-Source: AGHT+IHtwWJGoKcO6oItUMyLoOHxuZRRw0iWp36b7hA5cHfnJO0Cr6XA1tWzeQRe4jR7NKgJgvq7rQ== X-Received: by 2002:a17:90a:7c06:b0:290:cef3:822a with SMTP id v6-20020a17090a7c0600b00290cef3822amr801829pjf.90.1706278865709; Fri, 26 Jan 2024 06:21:05 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:05 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/8] gnutls: Backport fix for CVE-2023-5981 Date: Fri, 26 Jan 2024 04:20:36 -1000 Message-Id: <087b7c5d8363bcc6ae801d3ca18e6490e86a1381.1706278642.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194377 From: Vijay Anusuri Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] References: https://ubuntu.com/security/CVE-2023-5981 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2023-5981.patch | 206 ++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + 2 files changed, 207 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch new file mode 100644 index 0000000000..c518cfa0ac --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch @@ -0,0 +1,206 @@ +Backport of: + +From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 23 Oct 2023 09:26:57 +0900 +Subject: [PATCH] auth/rsa_psk: side-step potential side-channel + +This removes branching that depends on secret data, porting changes +for regular RSA key exchange from +4804febddc2ed958e5ae774de2a8f85edeeff538 and +80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the +allow_wrong_pms as it was used sorely to control debug output +depending on the branching. + +Signed-off-by: Daiki Ueno + +Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz +Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d] +CVE: CVE-2023-5981 +Signed-off-by: Vijay Anusuri +--- + lib/auth/rsa.c | 2 +- + lib/auth/rsa_psk.c | 90 ++++++++++++++++++---------------------------- + lib/gnutls_int.h | 4 --- + lib/priority.c | 1 - + 4 files changed, 35 insertions(+), 62 deletions(-) + +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess + session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side +- * channel that can be used as an oracle, so treat very carefully */ ++ * channel that can be used as an oracle, so tread carefully */ + + /* Error handling logic: + * In case decryption fails then don't inform the peer. Just use the +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + { + gnutls_datum_t username; + psk_auth_info_t info; +- gnutls_datum_t plaintext; + gnutls_datum_t ciphertext; + gnutls_datum_t pwd_psk = { NULL, 0 }; + int ret, dsize; +- int randomize_key = 0; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; + gnutls_datum_t premaster_secret = { NULL, 0 }; ++ volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_PSK); +@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se + } + ciphertext.size = dsize; + +- ret = +- gnutls_privkey_decrypt_data(session->internals.selected_key, 0, +- &ciphertext, &plaintext); +- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) { +- /* In case decryption fails then don't inform +- * the peer. Just use a random key. (in order to avoid +- * attack against pkcs-1 formatting). +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa_psk: Possible PKCS #1 format attack\n"); +- if (ret >= 0) { +- gnutls_free(plaintext.data); +- } +- randomize_key = 1; +- } else { +- /* If the secret was properly formatted, then +- * check the version number. +- */ +- if (_gnutls_get_adv_version_major(session) != +- plaintext.data[0] +- || (session->internals.allow_wrong_pms == 0 +- && _gnutls_get_adv_version_minor(session) != +- plaintext.data[1])) { +- /* No error is returned here, if the version number check +- * fails. We proceed normally. +- * That is to defend against the attack described in the paper +- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima, +- * Ondej Pokorny and Tomas Rosa. +- */ +- gnutls_assert(); +- _gnutls_debug_log +- ("auth_rsa: Possible PKCS #1 version check format attack\n"); +- } +- } ++ ver_maj = _gnutls_get_adv_version_major(session); ++ ver_min = _gnutls_get_adv_version_minor(session); + ++ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); ++ if (premaster_secret.data == NULL) { ++ gnutls_assert(); ++ return GNUTLS_E_MEMORY_ERROR; ++ } ++ premaster_secret.size = GNUTLS_MASTER_SIZE; + +- if (randomize_key != 0) { +- premaster_secret.size = GNUTLS_MASTER_SIZE; +- premaster_secret.data = +- gnutls_malloc(premaster_secret.size); +- if (premaster_secret.data == NULL) { +- gnutls_assert(); +- return GNUTLS_E_MEMORY_ERROR; +- } +- +- /* we do not need strong random numbers here. +- */ +- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, +- premaster_secret.size); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- } else { +- premaster_secret.data = plaintext.data; +- premaster_secret.size = plaintext.size; ++ /* Fallback value when decryption fails. Needs to be unpredictable. */ ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, ++ premaster_secret.size); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; + } + ++ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, ++ &ciphertext, premaster_secret.data, ++ premaster_secret.size); ++ /* After this point, any conditional on failure that cause differences ++ * in execution may create a timing or cache access pattern side ++ * channel that can be used as an oracle, so tread carefully */ ++ ++ /* Error handling logic: ++ * In case decryption fails then don't inform the peer. Just use the ++ * random key previously generated. (in order to avoid attack against ++ * pkcs-1 formatting). ++ * ++ * If we get version mismatches no error is returned either. We ++ * proceed normally. This is to defend against the attack described ++ * in the paper "Attacking RSA-based sessions in SSL/TLS" by ++ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. ++ */ ++ + /* This is here to avoid the version check attack + * discussed above. + */ +- +- premaster_secret.data[0] = _gnutls_get_adv_version_major(session); +- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session); ++ premaster_secret.data[0] = ver_maj; ++ premaster_secret.data[1] = ver_min; + + /* find the key of this username + */ +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -989,7 +989,6 @@ struct gnutls_priority_st { + bool _no_etm; + bool _no_ext_master_secret; + bool _allow_key_usage_violation; +- bool _allow_wrong_pms; + bool _dumbfw; + unsigned int _dh_prime_bits; /* old (deprecated) variable */ + +@@ -1007,7 +1006,6 @@ struct gnutls_priority_st { + (x)->no_etm = 1; \ + (x)->no_ext_master_secret = 1; \ + (x)->allow_key_usage_violation = 1; \ +- (x)->allow_wrong_pms = 1; \ + (x)->dumbfw = 1 + + #define ENABLE_PRIO_COMPAT(x) \ +@@ -1016,7 +1014,6 @@ struct gnutls_priority_st { + (x)->_no_etm = 1; \ + (x)->_no_ext_master_secret = 1; \ + (x)->_allow_key_usage_violation = 1; \ +- (x)->_allow_wrong_pms = 1; \ + (x)->_dumbfw = 1 + + /* DH and RSA parameters types. +@@ -1141,7 +1138,6 @@ typedef struct { + bool no_etm; + bool no_ext_master_secret; + bool allow_key_usage_violation; +- bool allow_wrong_pms; + bool dumbfw; + + /* old (deprecated) variable. This is used for both srp_prime_bits +--- a/lib/priority.c ++++ b/lib/priority.c +@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses + COPY_TO_INTERNALS(no_etm); + COPY_TO_INTERNALS(no_ext_master_secret); + COPY_TO_INTERNALS(allow_key_usage_violation); +- COPY_TO_INTERNALS(allow_wrong_pms); + COPY_TO_INTERNALS(dumbfw); + COPY_TO_INTERNALS(dh_prime_bits); + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 0c3392d521..406f0b54c5 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -28,6 +28,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2022-2509.patch \ file://CVE-2021-4209.patch \ file://CVE-2023-0361.patch \ + file://CVE-2023-5981.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" From patchwork Fri Jan 26 14:20:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38359 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C08CC48286 for ; Fri, 26 Jan 2024 14:21:12 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.17193.1706278869195388433 for ; Fri, 26 Jan 2024 06:21:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=L9ODkNhF; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-1d74678df08so2542285ad.1 for ; Fri, 26 Jan 2024 06:21:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278868; x=1706883668; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=zBb6jNJO9HC+B8JPixEcnxMW7PzYawT7hGndNknGVWE=; b=L9ODkNhFkaAvGV42Cd+i33WfmmEnmgz3cYba60065Sx3AKv5eGwYBCjExsQbDCABNX oTJIE1SvpjG+WH7OmALH1+UsMW2pYEer4lSkykEbXogmCX2eiIhaK+SwDZ8gqFsWXqfg /IUOMXqFHfZuUN/jM/arZ2enXJrFLNn/GDcZS0hSgFt9bEu1ARE29EFKBf4PPMsH1jQ0 SUeT32i/7t7zscBMyFLrcE6Ocvl6r4FUxm8uLVJvSglalspWfooLmP4hrMFxQujisW5E qf6DjQk+q+619cXp13ePDEvX6o009q2Ucklv5CvXuk4Ft3zvbD0RVR5113yke7e0EFoL MxgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278868; x=1706883668; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zBb6jNJO9HC+B8JPixEcnxMW7PzYawT7hGndNknGVWE=; b=vpDkpWd5zTyz+AU1lVzzHUb66pgzZDs9TUTsAEQXaUFTd6fMfrQ5AkDjVArnJ3CqwU 6W7Y6A/cVoBWxKcMGhGcOamFBnCZ9KQKuT/U1jvwsxMO67mwJNOhor23UdKrZ20rSP9n j+VMfVJCIvY9TT8RwK/AlL7mIjT5fYxvjAIFpNYjDJSfZDfUyk2h6mUHtgwGTVF2bqSw +dYYzZjUJXgs+ekiC//pAya7l4LCtjUjF+iZ4XUyDXyZ9dc3+Jpf3mQNE/L8H4h7Y2rB PCMpbejKKhGiw8vjynng2VY0mrr10j15hOP7MslqZ0klHkPT1/bGwUC6f5wroFjy4PA1 N8/w== X-Gm-Message-State: AOJu0YysM1V94lq/kq8akn/NdsPfuI6G7cwCEOfqSF9sLZ5mSJBuQp+P pPuCssxmbqZZi+fU971n7nbvE4CcRDjyBQv/Jnss9cfs/LPr6ACTyZZNGlU0xawzeaO3ipnOGYA A6mo= X-Google-Smtp-Source: AGHT+IE+qC5LBr93Z7B4fypbMvctfTHxbmJMyNvrFGDaCdiCJYaKXfUyJXnB7vl1Yg+jePNyzEm5dA== X-Received: by 2002:a17:902:c403:b0:1d7:4d4f:db24 with SMTP id k3-20020a170902c40300b001d74d4fdb24mr1354842plk.0.1706278867759; Fri, 26 Jan 2024 06:21:07 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553 Date: Fri, 26 Jan 2024 04:20:37 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194378 From: Vijay Anusuri CVE-2024-0553 A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../gnutls/gnutls/CVE-2024-0553.patch | 125 ++++++++++++++++++ meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 + 2 files changed, 126 insertions(+) create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch new file mode 100644 index 0000000000..f15c470879 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch @@ -0,0 +1,125 @@ +From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 10 Jan 2024 19:13:17 +0900 +Subject: [PATCH] rsa-psk: minimize branching after decryption + +This moves any non-trivial code between gnutls_privkey_decrypt_data2 +and the function return in _gnutls_proc_rsa_psk_client_kx up until the +decryption. This also avoids an extra memcpy to session->key.key. + +Signed-off-by: Daiki Ueno + +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e] +CVE: CVE-2024-0553 +Signed-off-by: Vijay Anusuri +--- + lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++---------------------- + 1 file changed, 35 insertions(+), 33 deletions(-) + +diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c +index 93c2dc9..c6cfb92 100644 +--- a/lib/auth/rsa_psk.c ++++ b/lib/auth/rsa_psk.c +@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + int ret, dsize; + ssize_t data_size = _data_size; + gnutls_psk_server_credentials_t cred; +- gnutls_datum_t premaster_secret = { NULL, 0 }; + volatile uint8_t ver_maj, ver_min; + + cred = (gnutls_psk_server_credentials_t) +@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); + +- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE); +- if (premaster_secret.data == NULL) { ++ /* Find the key of this username. A random value will be ++ * filled in if the key is not found. ++ */ ++ ret = _gnutls_psk_pwd_find_entry(session, info->username, ++ strlen(info->username), &pwd_psk); ++ if (ret < 0) ++ return gnutls_assert_val(ret); ++ ++ /* Allocate memory for premaster secret, and fill in the ++ * fields except the decryption result. ++ */ ++ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size; ++ session->key.key.data = gnutls_malloc(session->key.key.size); ++ if (session->key.key.data == NULL) { + gnutls_assert(); ++ _gnutls_free_key_datum(&pwd_psk); ++ /* No need to zeroize, as the secret is not copied in yet */ ++ _gnutls_free_datum(&session->key.key); + return GNUTLS_E_MEMORY_ERROR; + } +- premaster_secret.size = GNUTLS_MASTER_SIZE; + + /* Fallback value when decryption fails. Needs to be unpredictable. */ +- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data, +- premaster_secret.size); ++ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2, ++ GNUTLS_MASTER_SIZE); + if (ret < 0) { + gnutls_assert(); +- goto cleanup; ++ _gnutls_free_key_datum(&pwd_psk); ++ /* No need to zeroize, as the secret is not copied in yet */ ++ _gnutls_free_datum(&session->key.key); ++ return ret; + } + ++ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data); ++ _gnutls_write_uint16(pwd_psk.size, ++ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]); ++ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data, ++ pwd_psk.size); ++ _gnutls_free_key_datum(&pwd_psk); ++ + gnutls_privkey_decrypt_data2(session->internals.selected_key, 0, +- &ciphertext, premaster_secret.data, +- premaster_secret.size); ++ &ciphertext, session->key.key.data + 2, ++ GNUTLS_MASTER_SIZE); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side + * channel that can be used as an oracle, so tread carefully */ +@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data, + /* This is here to avoid the version check attack + * discussed above. + */ +- premaster_secret.data[0] = ver_maj; +- premaster_secret.data[1] = ver_min; ++ session->key.key.data[2] = ver_maj; ++ session->key.key.data[3] = ver_min; + +- /* find the key of this username +- */ +- ret = +- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = +- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret); +- if (ret < 0) { +- gnutls_assert(); +- goto cleanup; +- } +- +- ret = 0; +- cleanup: +- _gnutls_free_key_datum(&pwd_psk); +- _gnutls_free_temp_key_datum(&premaster_secret); +- +- return ret; ++ return 0; + } + + static int +-- +2.25.1 + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb index 406f0b54c5..a1451daf2c 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb @@ -29,6 +29,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2021-4209.patch \ file://CVE-2023-0361.patch \ file://CVE-2023-5981.patch \ + file://CVE-2024-0553.patch \ " SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63" From patchwork Fri Jan 26 14:20:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38357 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87B1CC4828A for ; Fri, 26 Jan 2024 14:21:12 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.17144.1706278871063542286 for ; Fri, 26 Jan 2024 06:21:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sk7dcaeD; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-2901f9ea918so230478a91.3 for ; Fri, 26 Jan 2024 06:21:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278870; x=1706883670; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Ecd68nRTqi76SryG1RqIGeNAnf34LZ/fF4PLj5JmDbM=; b=sk7dcaeD/2Oe+hF7bWl9JF/ZcwKO/u/GRMOI1r0AgFLijkvi4jZV2wiWv/LI3GXAT7 TvZFT/3/gn7b0iFjss9JUyaboEdN4x/+w/HDgeyI6Ju6XqFuBvA1kTCEliNSMKRQ5Pbl eRTGnW/h2UWuEIxnhfonfUIab1SwjxzjTgruTTH7NvHqsH4eV2uYrzeqOglrxT7FwQgp g/7Pacgg/aOUYh/3/zt4/QaweBRcTWAZVoUMAJ8pgjVNHS4429VbvILmDiP2os/NM+Pd OVEKYdqtluU1ihayucfrlMOMBfG9oCisCr+qGrNTUpmRRhKZkIXo10uyTK0dGsu/vv7f 0zyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278870; x=1706883670; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ecd68nRTqi76SryG1RqIGeNAnf34LZ/fF4PLj5JmDbM=; b=nLAklZO8WLmHA55pVcmk22WlR4C+BeV+h9nlf30zHI4YzSvcm6x1yL529dFpwkBCoP ZVsed+BMjMcutOizob/vu7nfhc0xNx0nRE4OtMNgYcMhR7UwaApu5FdeWB/AGSt3Oi07 G+05VLBXe36ITvrI754E38yoJXPJOS9NuoKPP5ZHoPbX8RU8xfw1XHt2nLeJdkU7T2VY fUcXRkM+4vTL+ZjN1Uup4tt4jQt7i4uTD4mEx+s5OR2akITRa4q4vY2bk8/Cx6AKRnOy k2wv89kfLJWb47X93urPPxxqwHb8V3Cjf8BSZHV/0uoCdxMH8Qmnm5gB2UD9SnNmJ6um t1Zw== X-Gm-Message-State: AOJu0Yw9brxQzz48DDT2iMbQGGF2MHkqVZADWkyJ39jWyPaP8pkyyLza CPQ3XLjexOqBBMb2H8O5ivf+svMCpCEM4O8XHgwnB2BeOGGoB2z3tzczu1JcA3oUGzbbz7YPHmj LErQ= X-Google-Smtp-Source: AGHT+IEqjCTe6+O+UvLy9kmEDDqMCqEHLJx8KrWk7SgqKBWco4td2rC5rJZuOhkTYLuZgAue5zbZBA== X-Received: by 2002:a17:90a:bb18:b0:293:f954:5407 with SMTP id u24-20020a17090abb1800b00293f9545407mr476256pjr.15.1706278869727; Fri, 26 Jan 2024 06:21:09 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/8] pam: Fix for CVE-2024-22365 Date: Fri, 26 Jan 2024 04:20:38 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:12 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194379 From: Vijay Anusuri Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../pam/libpam/CVE-2024-22365.patch | 59 +++++++++++++++++++ meta/recipes-extended/pam/libpam_1.3.1.bb | 1 + 2 files changed, 60 insertions(+) create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-22365.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch new file mode 100644 index 0000000000..33ac37b7f0 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch @@ -0,0 +1,59 @@ +From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent + local DoS situations + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb] +CVE: CVE-2024-22365 +Signed-off-by: Vijay Anusuri +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86..f72d67189 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb index bc72afe6ad..527a368e2d 100644 --- a/meta/recipes-extended/pam/libpam_1.3.1.bb +++ b/meta/recipes-extended/pam/libpam_1.3.1.bb @@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://pam-security-abstract-securetty-handling.patch \ file://pam-unix-nullok-secure.patch \ file://crypt_configure.patch \ + file://CVE-2024-22365.patch \ " SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165" From patchwork Fri Jan 26 14:20:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38361 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92478C48260 for ; Fri, 26 Jan 2024 14:21:22 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.17195.1706278873494223887 for ; Fri, 26 Jan 2024 06:21:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IX1dqC2H; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1d748d43186so2548015ad.0 for ; Fri, 26 Jan 2024 06:21:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278872; x=1706883672; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=LLJIxbOMNWDAtgQC7WVTsLV0IfHMFpYt1a3i8fQh4wk=; b=IX1dqC2HBrnegkNq4FHiVCP7wjefWdPfHYmXWGu4Lceb8zSoD5fFNx6u3TjUmDscS5 LjvOpZuK6GphUXrza8wzIz9cIcHzfNWQI0s7MsBoJjefDYbFsiFx58+MuLwJl/HWdCMR y1va773VAIsvtwratM3s6ypEPBj9c+SGM0txhy3JuYhmXnrztl5ojHY7loHFGo0pss+C 7O1F7AL/RTULKRgR99gDbYkt43t6bZnQuBM4FU5m4LO5EgRkO2+keBf8XVnzmcEMMVvJ vh5yCTu43SZrmVDm62T+n9s8ebzwHQ4rtwSvW+9EoYf6czXoZU9i/0zj/21jjOldfrcl +nXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278872; x=1706883672; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LLJIxbOMNWDAtgQC7WVTsLV0IfHMFpYt1a3i8fQh4wk=; b=n8tgWPv92yhZPEJd20L3wzkRnN+MFvWNhJisK3AWsb3RWxLOY90zDTAPY9tIhT5vkF ggIAqvoRtBpxZkeAQjxWAfYF38n4JTaEOYSnY7iNH4SJfvptyhv0v1ujDfZzgyA935MI ehQH9pizpmm/n6USmx8Y+m1uMHsyqozqvPgizg25oeCK8Ddnvv++td5l0dDVrI7Yo0lt M9F2K8XYq95Njtfi6qvfej08hVy/ygTwkAYFBvp5HrEEwGbXyJujJ4n4nGqoQG0HxhxP yyFWOH+0skatcdib/ErnLyfIN0UXxQpAtBBoEdCehHQaf2itNuyJRnHrf5Zy6KhFfTLX hDEw== X-Gm-Message-State: AOJu0Yzy4fodMXxhhQwJSrp+yRwbSkEb6d8IDFqr+CoG78CBW5TknM9i 2+puQrh1+WJipWTDxJbux2lKC9plKZ595bANsO2Yz8B0haiBtDWvvu2x1e+QEEdhWf5T0DWsAAg H6l0= X-Google-Smtp-Source: AGHT+IFTzMgVxnGQOf2veD5UabO6Q9rzDk1QycaOUVRb9riGaPOmMipxZpe4e8W6ALfEuMypkzukTQ== X-Received: by 2002:a17:902:c70b:b0:1d8:8d72:5e96 with SMTP id p11-20020a170902c70b00b001d88d725e96mr903556plp.42.1706278871885; Fri, 26 Jan 2024 06:21:11 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/8] xserver-xorg: Multiple CVE fixes Date: Fri, 26 Jan 2024 04:20:39 -1000 Message-Id: <14ffb41e7a49a4c0076db9ec4449a97c0f143b67.1706278642.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194380 From: Vijay Anusuri Fix below CVE's CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-0408 CVE-2024-0409 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../xserver-xorg/CVE-2023-6816.patch | 55 +++++ .../xserver-xorg/CVE-2024-0229-1.patch | 87 +++++++ .../xserver-xorg/CVE-2024-0229-2.patch | 221 ++++++++++++++++++ .../xserver-xorg/CVE-2024-0229-3.patch | 41 ++++ .../xserver-xorg/CVE-2024-0229-4.patch | 45 ++++ .../xserver-xorg/CVE-2024-0408.patch | 64 +++++ .../xserver-xorg/CVE-2024-0409.patch | 46 ++++ .../xserver-xorg/CVE-2024-21885.patch | 113 +++++++++ .../xserver-xorg/CVE-2024-21886-1.patch | 74 ++++++ .../xserver-xorg/CVE-2024-21886-2.patch | 57 +++++ .../xorg-xserver/xserver-xorg_1.20.14.bb | 10 + 11 files changed, 813 insertions(+) create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch new file mode 100644 index 0000000000..0bfff268e7 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch @@ -0,0 +1,55 @@ +From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3] +CVE: CVE-2023-6816 +Signed-off-by: Vijay Anusuri +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a444..2b05ac5f39 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec74363..ded8679d76 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch new file mode 100644 index 0000000000..80ebc64e59 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch @@ -0,0 +1,87 @@ +From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 14:27:50 +1000 +Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify + +If a device has both a button class and a key class and numButtons is +zero, we can get an OOB write due to event under-allocation. + +This function seems to assume a device has either keys or buttons, not +both. It has two virtually identical code paths, both of which assume +they're applying to the first event in the sequence. + +A device with both a key and button class triggered a logic bug - only +one xEvent was allocated but the deviceStateNotify pointer was pushed on +once per type. So effectively this logic code: + + int count = 1; + if (button && nbuttons > 32) count++; + if (key && nbuttons > 0) count++; + if (key && nkeys > 32) count++; // this is basically always true + // count is at 2 for our keys + zero button device + + ev = alloc(count * sizeof(xEvent)); + FixDeviceStateNotify(ev); + if (button) + FixDeviceStateNotify(ev++); + if (key) + FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here + +If the device has more than 3 valuators, the OOB is pushed back - we're +off by one so it will happen when the last deviceValuator event is +written instead. + +Fix this by allocating the maximum number of events we may allocate. +Note that the current behavior is not protocol-correct anyway, this +patch fixes only the allocation issue. + +Note that this issue does not trigger if the device has at least one +button. While the server does not prevent a button class with zero +buttons, it is very unlikely. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +--- + dix/enterleave.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index ded8679d76..17964b00a4 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -675,7 +675,8 @@ static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { + int evcount = 1; +- deviceStateNotify *ev, *sev; ++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; ++ deviceStateNotify *ev; + deviceKeyStateNotify *kev; + deviceButtonStateNotify *bev; + +@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + } + } + +- sev = ev = xallocarray(evcount, sizeof(xEvent)); ++ ev = sev; + FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); + + if (b != NULL) { +@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, + DeviceStateNotifyMask, NullGrab); +- free(sev); + } + + void +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch new file mode 100644 index 0000000000..65df74376b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch @@ -0,0 +1,221 @@ +From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 18 Dec 2023 12:26:20 +1000 +Subject: [PATCH] dix: fix DeviceStateNotify event calculation + +The previous code only made sense if one considers buttons and keys to +be mutually exclusive on a device. That is not necessarily true, causing +a number of issues. + +This function allocates and fills in the number of xEvents we need to +send the device state down the wire. This is split across multiple +32-byte devices including one deviceStateNotify event and optional +deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple) +deviceValuator events. + +The previous behavior would instead compose a sequence +of [state, buttonstate, state, keystate, valuator...]. This is not +protocol correct, and on top of that made the code extremely convoluted. + +Fix this by streamlining: add both button and key into the deviceStateNotify +and then append the key state and button state, followed by the +valuators. Finally, the deviceValuator events contain up to 6 valuators +per event but we only ever sent through 3 at a time. Let's double that +troughput. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +--- + dix/enterleave.c | 121 ++++++++++++++++++++--------------------------- + 1 file changed, 52 insertions(+), 69 deletions(-) + +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 17964b00a4..7b7ba1098b 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + + ev->type = DeviceValuator; + ev->deviceid = dev->id; +- ev->num_valuators = nval < 3 ? nval : 3; ++ ev->num_valuators = nval < 6 ? nval : 6; + ev->first_valuator = first; + switch (ev->num_valuators) { ++ case 6: ++ ev->valuator2 = v->axisVal[first + 5]; ++ case 5: ++ ev->valuator2 = v->axisVal[first + 4]; ++ case 4: ++ ev->valuator2 = v->axisVal[first + 3]; + case 3: + ev->valuator2 = v->axisVal[first + 2]; + case 2: +@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v, + ev->valuator0 = v->axisVal[first]; + break; + } +- first += ev->num_valuators; + } + + static void +@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + ev->num_buttons = b->numButtons; + memcpy((char *) ev->buttons, (char *) b->down, 4); + } +- else if (k) { ++ if (k) { + ev->classes_reported |= (1 << KeyClass); + ev->num_keys = k->xkbInfo->desc->max_key_code - + k->xkbInfo->desc->min_key_code; +@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k, + } + } + +- ++/** ++ * The device state notify event is split across multiple 32-byte events. ++ * The first one contains the first 32 button state bits, the first 32 ++ * key state bits, and the first 3 valuator values. ++ * ++ * If a device has more than that, the server sends out: ++ * - one deviceButtonStateNotify for buttons 32 and above ++ * - one deviceKeyStateNotify for keys 32 and above ++ * - one deviceValuator event per 6 valuators above valuator 4 ++ * ++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS, ++ */ + static void + DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + { ++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify ++ * and one deviceValuator for each 6 valuators */ ++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6]; + int evcount = 1; +- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3]; +- deviceStateNotify *ev; +- deviceKeyStateNotify *kev; +- deviceButtonStateNotify *bev; ++ deviceStateNotify *ev = sev; + + KeyClassPtr k; + ButtonClassPtr b; +@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win) + + if ((b = dev->button) != NULL) { + nbuttons = b->numButtons; +- if (nbuttons > 32) ++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; + } + if ((k = dev->key) != NULL) { + nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code; +- if (nkeys > 32) ++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */ + evcount++; +- if (nbuttons > 0) { +- evcount++; +- } + } + if ((v = dev->valuator) != NULL) { + nval = v->numAxes; +- +- if (nval > 3) +- evcount++; +- if (nval > 6) { +- if (!(k && b)) +- evcount++; +- if (nval > 9) +- evcount += ((nval - 7) / 3); +- } ++ /* first three are encoded in deviceStateNotify, then ++ * it's 6 per deviceValuator event */ ++ evcount += ((nval - 3) + 6)/6; + } + +- ev = sev; +- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first); +- +- if (b != NULL) { +- FixDeviceStateNotify(dev, ev++, NULL, b, v, first); +- first += 3; +- nval -= 3; +- if (nbuttons > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- bev = (deviceButtonStateNotify *) ev++; +- bev->type = DeviceButtonStateNotify; +- bev->deviceid = dev->id; +- memcpy((char *) &bev->buttons[4], (char *) &b->down[4], +- DOWN_LENGTH - 4); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ BUG_RETURN(evcount <= ARRAY_SIZE(sev)); ++ ++ FixDeviceStateNotify(dev, ev, k, b, v, first); ++ ++ if (b != NULL && nbuttons > 32) { ++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ bev->type = DeviceButtonStateNotify; ++ bev->deviceid = dev->id; ++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4], ++ DOWN_LENGTH - 4); + } + +- if (k != NULL) { +- FixDeviceStateNotify(dev, ev++, k, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nkeys > 32) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- kev = (deviceKeyStateNotify *) ev++; +- kev->type = DeviceKeyStateNotify; +- kev->deviceid = dev->id; +- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); +- } +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ if (k != NULL && nkeys > 32) { ++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev; ++ (ev - 1)->deviceid |= MORE_EVENTS; ++ kev->type = DeviceKeyStateNotify; ++ kev->deviceid = dev->id; ++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28); + } + ++ first = 3; ++ nval -= 3; + while (nval > 0) { +- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first); +- first += 3; +- nval -= 3; +- if (nval > 0) { +- (ev - 1)->deviceid |= MORE_EVENTS; +- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first); +- first += 3; +- nval -= 3; +- } ++ ev->deviceid |= MORE_EVENTS; ++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first); ++ first += 6; ++ nval -= 6; + } + + DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount, +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch new file mode 100644 index 0000000000..742c122fa8 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch @@ -0,0 +1,41 @@ +From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 13:48:10 +1000 +Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of + buttons + +There's a racy sequence where a master device may copy the button class +from the slave, without ever initializing numButtons. This leads to a +device with zero buttons but a button class which is invalid. + +Let's copy the numButtons value from the source - by definition if we +don't have a button class yet we do not have any other slave devices +with more than this number of buttons anyway. + +CVE-2024-0229, ZDI-CAN-22678 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +--- + Xi/exevents.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 54ea11a938..e161714682 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + to->button = calloc(1, sizeof(ButtonClassRec)); + if (!to->button) + FatalError("[Xi] no memory for class shift.\n"); ++ to->button->numButtons = from->button->numButtons; + } + else + classes->button = NULL; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch new file mode 100644 index 0000000000..d1a6214793 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch @@ -0,0 +1,45 @@ +From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 21 Dec 2023 14:10:11 +1000 +Subject: [PATCH] Xi: require a pointer and keyboard device for + XIAttachToMaster + +If we remove a master device and specify which other master devices +attached slaves should be returned to, enforce that those two are +indeeed a pointer and a keyboard. + +Otherwise we can try to attach the keyboards to pointers and vice versa, +leading to possible crashes later. + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe] +CVE: CVE-2024-0229 +Signed-off-by: Vijay Anusuri +--- + Xi/xichangehierarchy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index 504defe566..d2d985848d 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newptr)) { ++ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) { + client->errorValue = r->return_pointer; + rc = BadDevice; + goto unwind; +@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES]) + if (rc != Success) + goto unwind; + +- if (!IsMaster(newkeybd)) { ++ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) { + client->errorValue = r->return_keyboard; + rc = BadDevice; + goto unwind; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch new file mode 100644 index 0000000000..c8f75d8a7e --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch @@ -0,0 +1,64 @@ +From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH] glx: Call XACE hooks on the GLX buffer + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3] +CVE: CVE-2024-0408 +Signed-off-by: Vijay Anusuri +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index fc26a2e345..1e46d0c723 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch new file mode 100644 index 0000000000..9763e0b562 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch @@ -0,0 +1,46 @@ +From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7] +CVE: CVE-2024-0409 +Signed-off-by: Vijay Anusuri +--- + hw/kdrive/ephyr/ephyrcursor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c +index f991899..3f192d0 100644 +--- a/hw/kdrive/ephyr/ephyrcursor.c ++++ b/hw/kdrive/ephyr/ephyrcursor.c +@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = { + Bool + ephyrCursorInit(ScreenPtr screen) + { +- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS, ++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR, + sizeof(ephyrCursorRec))) + return FALSE; + +-- +2.25.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch new file mode 100644 index 0000000000..7c8fbcc3ec --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch @@ -0,0 +1,113 @@ +From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 4 Jan 2024 10:01:24 +1000 +Subject: [PATCH] Xi: flush hierarchy events after adding/removing master + devices + +The `XISendDeviceHierarchyEvent()` function allocates space to store up +to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`. + +If a device with a given ID was removed and a new device with the same +ID added both in the same operation, the single device ID will lead to +two info structures being written to `info`. + +Since this case can occur for every device ID at once, a total of two +times `MAXDEVICES` info structures might be written to the allocation. + +To avoid it, once one add/remove master is processed, send out the +device hierarchy event for the current state and continue. That event +thus only ever has exactly one of either added/removed in it (and +optionally slave attached/detached). + +CVE-2024-21885, ZDI-CAN-22744 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1] +CVE: CVE-2024-21885 +Signed-off-by: Vijay Anusuri +--- + Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c +index d2d985848d..72d00451e3 100644 +--- a/Xi/xichangehierarchy.c ++++ b/Xi/xichangehierarchy.c +@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client) + size_t len; /* length of data remaining in request */ + int rc = Success; + int flags[MAXDEVICES] = { 0 }; ++ enum { ++ NO_CHANGE, ++ FLUSH, ++ CHANGED, ++ } changes = NO_CHANGE; + + REQUEST(xXIChangeHierarchyReq); + REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq); +@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = add_master(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIRemoveMaster: + { + xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any; +@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = remove_master(client, r, flags); + if (rc != Success) + goto unwind; +- } ++ changes = FLUSH; + break; ++ } + case XIDetachSlave: + { + xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any; +@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = detach_slave(client, c, flags); + if (rc != Success) + goto unwind; +- } ++ changes = CHANGED; + break; ++ } + case XIAttachSlave: + { + xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any; +@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client) + rc = attach_slave(client, c, flags); + if (rc != Success) + goto unwind; ++ changes = CHANGED; ++ break; + } ++ default: + break; + } + ++ if (changes == FLUSH) { ++ XISendDeviceHierarchyEvent(flags); ++ memset(flags, 0, sizeof(flags)); ++ changes = NO_CHANGE; ++ } ++ + len -= any->length * 4; + any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4); + } + + unwind: +- +- XISendDeviceHierarchyEvent(flags); ++ if (changes != NO_CHANGE) ++ XISendDeviceHierarchyEvent(flags); + return rc; + } +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch new file mode 100644 index 0000000000..1e1c782963 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch @@ -0,0 +1,74 @@ +From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Fri, 22 Dec 2023 18:28:31 +0100 +Subject: [PATCH] Xi: do not keep linked list pointer during recursion + +The `DisableDevice()` function is called whenever an enabled device +is disabled and it moves the device from the `inputInfo.devices` linked +list to the `inputInfo.off_devices` linked list. + +However, its link/unlink operation has an issue during the recursive +call to `DisableDevice()` due to the `prev` pointer pointing to a +removed device. + +This issue leads to a length mismatch between the total number of +devices and the number of device in the list, leading to a heap +overflow and, possibly, to local privilege escalation. + +Simplify the code that checked whether the device passed to +`DisableDevice()` was in `inputInfo.devices` or not and find the +previous device after the recursion. + +CVE-2024-21886, ZDI-CAN-22840 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/dix/devices.c b/dix/devices.c +index dca98c8d1b..389d28a23c 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + { + DeviceIntPtr *prev, other; + BOOL enabled; ++ BOOL dev_in_devices_list = FALSE; + int flags[MAXDEVICES] = { 0 }; + + if (!dev->enabled) + return TRUE; + +- for (prev = &inputInfo.devices; +- *prev && (*prev != dev); prev = &(*prev)->next); +- if (*prev != dev) ++ for (other = inputInfo.devices; other; other = other->next) { ++ if (other == dev) { ++ dev_in_devices_list = TRUE; ++ break; ++ } ++ } ++ ++ if (!dev_in_devices_list) + return FALSE; + + TouchEndPhysicallyActiveTouches(dev); +@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + LeaveWindow(dev); + SetFocusOut(dev); + ++ for (prev = &inputInfo.devices; ++ *prev && (*prev != dev); prev = &(*prev)->next); ++ + *prev = dev->next; + dev->next = inputInfo.off_devices; + inputInfo.off_devices = dev; +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch new file mode 100644 index 0000000000..af607df4f0 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch @@ -0,0 +1,57 @@ +From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Fri, 5 Jan 2024 09:40:27 +1000 +Subject: [PATCH] dix: when disabling a master, float disabled slaved devices + too + +Disabling a master device floats all slave devices but we didn't do this +to already-disabled slave devices. As a result those devices kept their +reference to the master device resulting in access to already freed +memory if the master device was removed before the corresponding slave +device. + +And to match this behavior, also forcibly reset that pointer during +CloseDownDevices(). + +Related to CVE-2024-21886, ZDI-CAN-22840 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8] +CVE: CVE-2024-21886 +Signed-off-by: Vijay Anusuri +--- + dix/devices.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dix/devices.c b/dix/devices.c +index 389d28a23c..84a6406d13 100644 +--- a/dix/devices.c ++++ b/dix/devices.c +@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent) + flags[other->id] |= XISlaveDetached; + } + } ++ ++ for (other = inputInfo.off_devices; other; other = other->next) { ++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) { ++ AttachDevice(NULL, other, NULL); ++ flags[other->id] |= XISlaveDetached; ++ } ++ } + } + else { + for (other = inputInfo.devices; other; other = other->next) { +@@ -1088,6 +1095,11 @@ CloseDownDevices(void) + dev->master = NULL; + } + ++ for (dev = inputInfo.off_devices; dev; dev = dev->next) { ++ if (!IsMaster(dev) && !IsFloating(dev)) ++ dev->master = NULL; ++ } ++ + CloseDeviceList(&inputInfo.devices); + CloseDeviceList(&inputInfo.off_devices); + +-- +GitLab + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index 4fdf3a0ec3..d6c6c5bd45 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb @@ -20,6 +20,16 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2023-5380.patch \ file://CVE-2023-6377.patch \ file://CVE-2023-6478.patch \ + file://CVE-2023-6816.patch \ + file://CVE-2024-0229-1.patch \ + file://CVE-2024-0229-2.patch \ + file://CVE-2024-0229-3.patch \ + file://CVE-2024-0229-4.patch \ + file://CVE-2024-21885.patch \ + file://CVE-2024-21886-1.patch \ + file://CVE-2024-21886-2.patch \ + file://CVE-2024-0408.patch \ + file://CVE-2024-0409.patch \ " SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" From patchwork Fri Jan 26 14:20:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38360 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A56BC47422 for ; Fri, 26 Jan 2024 14:21:22 +0000 (UTC) Received: from mail-pg1-f179.google.com (mail-pg1-f179.google.com [209.85.215.179]) by mx.groups.io with SMTP id smtpd.web10.17197.1706278874927543644 for ; Fri, 26 Jan 2024 06:21:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MRxS3plc; spf=softfail (domain: sakoman.com, ip: 209.85.215.179, mailfrom: steve@sakoman.com) Received: by mail-pg1-f179.google.com with SMTP id 41be03b00d2f7-5c66b093b86so1260691a12.0 for ; Fri, 26 Jan 2024 06:21:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278874; x=1706883674; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YWfK8+yjIMbkbaAoEu2wYE+OCiSqV5IhhKukIaxnto4=; b=MRxS3plcrVv9ar7+E2xUa+ru8xACgtczSE7Hqef/Om6OKDDNgCUc/aqqyggIW18H5S DEFCznyP7rcJYuoM6AsskBlM2Fd2x+Q8VwF8UP01N78teO/IZN6VuTtns0Rn42QLpESw rsGo0yzW61eoJSGbRmkCulBjn2Hv8sUfoeAZOvTt2hIJZpzMVTZKXDskI7KeefZQXzzo 2lAUMhZH5d7Gkr1dlwEFPxF+uAg+jFIn8RbGk1seBtbM+ASPV/ALYIGlyO00T8Ed53LU 9SwFAN1q8ms0FXbp1I5dp8CO6nky1mLlorj/j2yHpi3QOjnZhWBbhDOlFLXNyAG1VzWL 21Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278874; x=1706883674; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YWfK8+yjIMbkbaAoEu2wYE+OCiSqV5IhhKukIaxnto4=; b=ADU9Xg/bYTXjDWcJmNs/D5HgMizlvdjYai/lYe4EyuXNJxcx4kND1Pus7G2C1BU7L7 iyXOU6oWiOuRBmlh548UHvvS3LdQGQ+g+Cvlgc45gCOUGXheYJlghcMwDpkCv815SibS 79ik98/XniXKms+ZZTQFfm1INDZku3lHjq3VT0NLGrkRimQbwWvpA9hXlIL+9vj3A1dS FNDoeCWhbd6QZcdfsjyGPFNciz26UoqxT4ceeiKhH2lujT1zy+FyLYNgp86ozN2mBLF/ dRTkUyDKQPSLBUwP84fieWT4R83uuWsEMaPXVFGP/+fxfD9HfqK/ZNivKXB1vxb7sflv fdsQ== X-Gm-Message-State: AOJu0Yyg9IYWxtgt31x8jybI2mPyeHxPZS30eHRfOf+LFBKR05/MVlIf 8Ynrk8fbwAbc5Nid/LzGo1b6Dxv+vogRpxjGV+7eR7fvMdcwLO+6FrF/BL7usxc0yToXmr2bp3R KwDM= X-Google-Smtp-Source: AGHT+IF0qIHCeVSKtnq98nwUlY7NiZ+9vG+BHIZeBYGJPTBi/h6xl89Yi6KuFwhUYFSK6pNX3hTI0w== X-Received: by 2002:a17:90a:b702:b0:290:2480:12cd with SMTP id l2-20020a17090ab70200b00290248012cdmr1433701pjr.23.1706278873907; Fri, 26 Jan 2024 06:21:13 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:13 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/8] opkg: Fix bad memory access error observe in file_read_line_alloc Date: Fri, 26 Jan 2024 04:20:40 -1000 Message-Id: <32e3618891295cec1ee5d4195998aa97f93b2207.1706278642.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194381 From: virendra thakur In the case of a zero length string being returned by fgets(), the condition checking for a trailing new line would perform a bad memory access outside of `buf`. This might happen when line with a leading null byte is read. Avoid this case by checking that the string has a length of at least one byte. Link: https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Signed-off-by: virendra thakur Signed-off-by: Steve Sakoman --- ...possible-bad-memory-access-in-file_r.patch | 50 +++++++++++++++++++ meta/recipes-devtools/opkg/opkg_0.4.2.bb | 1 + 2 files changed, 51 insertions(+) create mode 100644 meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch new file mode 100644 index 0000000000..bec21e67f4 --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch @@ -0,0 +1,50 @@ +From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001 +From: Jo-Philipp Wich +Date: Wed, 1 Apr 2020 21:47:40 +0200 +Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in + file_read_line_alloc() + +In the case of a zero length string being returned by fgets(), the condition +checking for a trailing new line would perform a bad memory access outside +of `buf`. This might happen when line with a leading null byte is read. + +Avoid this case by checking that the string has a length of at least one +byte. Also change the unsigned int types to size_t to store length values +while we're at it. + +Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba] + +Signed-off-by: Jo-Philipp Wich +Signed-off-by: Alejandro del Castillo +Signed-off-by: virendra thakur +--- + libopkg/file_util.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index fbed7b4..ee9f59d 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name) + */ + char *file_read_line_alloc(FILE * fp) + { ++ size_t buf_len, line_size; + char buf[BUFSIZ]; +- unsigned int buf_len; + char *line = NULL; +- unsigned int line_size = 0; + int got_nl = 0; + +- buf[0] = '\0'; +- + while (fgets(buf, BUFSIZ, fp)) { + buf_len = strlen(buf); +- if (buf[buf_len - 1] == '\n') { ++ if (buf_len > 0 && buf[buf_len - 1] == '\n') { + buf_len--; + buf[buf_len] = '\0'; + got_nl = 1; +-- +2.25.1 + diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb index 55be6547c0..3ebc27c8ee 100644 --- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb +++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb @@ -16,6 +16,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz file://opkg.conf \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ file://sourcedateepoch.patch \ + file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \ file://run-ptest \ " From patchwork Fri Jan 26 14:20:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 38362 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C119C47DDF for ; Fri, 26 Jan 2024 14:21:22 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web11.17150.1706278877352082901 for ; Fri, 26 Jan 2024 06:21:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wCSDrgqr; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id 98e67ed59e1d1-290da27f597so230880a91.2 for ; Fri, 26 Jan 2024 06:21:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1706278876; x=1706883676; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lb+Umo3LGICSbiS+c1tqAOR5PWnRMuQM20z28T9pU7M=; b=wCSDrgqreKAXMBB8+URRzIujeuUKB/q4jpV0ACIvaxRpLw83idlE9a9r2lgsKklu2D xLzgrSWhgn8VvddYBtDPA02iATJYGxEQdGiiLn6Bdhwes8rj9uTAyaN2DSko6KUpgwGu pYtU3+8yY5/zFv1E9kX1w+8kKffcYRJXkW4lfCzAfIDl3bMQCx9H6j3tneKXo6eHFFE3 SJ+V+CmfEVMjtLuEi/6jbkyGNEjPMVnVTZFKZjooVRpveInuuB+p4de0uPYQlHpJpstD UkKgUmz9JqLparQiWpGcngZQXMAeczMQx+pdqQloUM6ovPI2/R5zlnx/OU0rV21NDKsf 8CHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706278876; x=1706883676; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lb+Umo3LGICSbiS+c1tqAOR5PWnRMuQM20z28T9pU7M=; b=hrd4y/mppAsQ1Y8YOnmSLUA7By0pVR6VueXaZGtNPeEo4FPc1cTllmKwnzBH78PjJl YqnSHeI2/HfyrCL0HyNYjelmpNK5rtGTetgufQD/1Yfb28l5osDmJ/2WlA8oKo/jHp5V rh+ycsM2bywAg/TWA4ybfrfoxoxb9K92fZfzQe21EbFCeMvy4PMLdig+rY0KhD12u0Tv jQaV/RPhL5Jp1TowB8UaHiY8X061AgRjEEEJRLfY0qS5GhX24czOW9QG+SC8ubdfwdJ9 i3MouGRn5jz+5s7xk5dVTjH2IvVLCpdZg3QxLNEUQMm2aC+FZs4PosJ9He3cVbXU30/k AQTg== X-Gm-Message-State: AOJu0YwQltbptPX+IneszXQrA/wkyzEd4r/4pB5EyipltjIcDxmD805/ QwVdsEZv34l4uEXP7W1ehUCHW8YZyJESIfruRli7FWVq8IYhEH4pGX1Ttnm2YLYsLMKmMAixIZk QD6w= X-Google-Smtp-Source: AGHT+IFGsIpi2RfvXEpImmqjSn5wLLN58/Flurz1P0BoJSHT2Fchna/rIDZEHAe2SHipTPPOhPFAUA== X-Received: by 2002:a17:90b:2290:b0:290:505:248e with SMTP id kx16-20020a17090b229000b002900505248emr794163pjb.67.1706278876005; Fri, 26 Jan 2024 06:21:16 -0800 (PST) Received: from hexa.router0800d9.com (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id rr14-20020a17090b2b4e00b0029095a896c8sm1136458pjb.40.2024.01.26.06.21.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 06:21:15 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 8/8] systemtap: Fix build with gcc-12 Date: Fri, 26 Jan 2024 04:20:41 -1000 Message-Id: <18ae4fea4bf8681f9138d21124589918e336ff6b.1706278642.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Jan 2024 14:21:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/194382 From: Khem Raj Backport a patch to fix | ../git/util.cxx:1766:56: error: 'std::pointer_to_unary_function<_Arg, _Result> std::ptr_fun(_Result (*)(_Arg)) [with _Arg = int; _Result = int]' is deprecated: use 'std::function' instea d [-Werror=deprecated-declarations] | 1766 | std::not1(std::ptr_fun(std::isspace)))); | | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~ Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 0b360d12203aafd8bf96433d11221a6ed910a11f) Signed-off-by: Steve Sakoman --- ...ility-re-tweak-for-rhel6-use-functio.patch | 49 +++++++++++++++++++ .../recipes-kernel/systemtap/systemtap_git.bb | 4 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch new file mode 100644 index 0000000000..f885c44460 --- /dev/null +++ b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch @@ -0,0 +1,49 @@ +From f199d1982ef8a6c6d5c06c082d057b8793bcc6aa Mon Sep 17 00:00:00 2001 +From: Serhei Makarov +Date: Fri, 21 Jan 2022 18:21:46 -0500 +Subject: [PATCH] gcc12 c++ compatibility re-tweak for rhel6: use function + pointer instead of lambdas instead of ptr_fun<> + +Saving 2 lines in ltrim/rtrim is probably not a good reason to drop +compatibility with the RHEL6 system compiler. Actually declaring a +named function and passing the function pointer is compatible with +everything. + +Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=f199d1982ef8a6c6d5c06c082d057b8793bcc6aa] +Signed-off-by: Khem Raj +--- + util.cxx | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/util.cxx ++++ b/util.cxx +@@ -1757,21 +1757,24 @@ flush_to_stream (const string &fname, os + return 1; // Failure + } + ++int ++not_isspace(unsigned char c) ++{ ++ return !std::isspace(c); ++} ++ + // trim from start (in place) + void + ltrim(std::string &s) + { +- s.erase(s.begin(), +- std::find_if(s.begin(), s.end(), +- std::not1(std::ptr_fun(std::isspace)))); ++ s.erase(s.begin(), std::find_if(s.begin(), s.end(), not_isspace)); + } + + // trim from end (in place) + void + rtrim(std::string &s) + { +- s.erase(std::find_if(s.rbegin(), s.rend(), +- std::not1(std::ptr_fun(std::isspace))).base(), s.end()); ++ s.erase(std::find_if(s.rbegin(), s.rend(), not_isspace).base(), s.end()); + } + + // trim from both ends (in place) diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb index bdd8fb83b0..a8b2cf1eac 100644 --- a/meta/recipes-kernel/systemtap/systemtap_git.bb +++ b/meta/recipes-kernel/systemtap/systemtap_git.bb @@ -6,7 +6,9 @@ HOMEPAGE = "https://sourceware.org/systemtap/" require systemtap_git.inc -SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch" +SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \ + file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \ + " DEPENDS = "elfutils"