From patchwork Wed Apr 3 03:11:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41931 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1C8DCD11C2 for ; Wed, 3 Apr 2024 03:12:03 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.2727.1712113921791717318 for ; Tue, 02 Apr 2024 20:12:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ljp4vzNg; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-6ecc9f0bdaaso869704b3a.1 for ; Tue, 02 Apr 2024 20:12:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113921; x=1712718721; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kONJk8X/1x+VOGiuyTVsLZAte9DnhF6/F+NrP/E3Yvk=; b=ljp4vzNg5Yf7sBBdExFm5mtXCWZ4ZxhivDhg8DKB1Sp9dsftg24ctvhIyTrxpgYWrr rWBT1PfOMN/DcJSZf3y0iRoI5FSTZx2nBXbq8VxCoit6K/EbwMw8wQ/cNriyxfZs3PC+ OY5pxeE3ErAnewpKCdN7dTabrlohRQogM7Q66ulhiZZHv2abJrFKOzhKdU+WwSO1cokE 0GIv8dGWXMQCvCHYLmWOqUVF9tEbAH8Lq9qSFJ+QY/Zock2XXDtKQiJq3QPB/fZbeXkh CducDDiD89pNS451p7K5IDhvDt9jjWe6ApBLnqWZSvQAqkIU5k9xB/wMWhRWwvWIZep4 n4lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113921; x=1712718721; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kONJk8X/1x+VOGiuyTVsLZAte9DnhF6/F+NrP/E3Yvk=; b=u3xJM+sTmW1IyuC7IgbvwhI4tH2c9PbpWgNOHnoEfPz23ScyCxDKRPrzWJlnsJOjs9 DI1z3L0BBpbz1VULEQ7Zd/Sd+rjoVi7RIBQado5/rGb1RDfyhPCVeOtGhQGe+HspwW6p RTu4D7Im/7Iaeja1JbzDfeUvkcoUNu17peQmFKwYaI4y/sYg1yAaQZpHHyRaEj290esf pN8W7Kz5eKOP0+yDWoGosdPFXN2o65wtq3qpV5wJwGcvw1aT8n/U8/4bGVRU+1czRZCP ynRjJW99ZNatnLs8XV768oTDAECj8nEh3VlzG5Rb0QA76gbhZ6hSr+Gu08ggQwVaxv0j vI1A== X-Gm-Message-State: AOJu0YwkTsPjUgfuYT39mMUExBBkfJupIjQQSfluHbsVF16LfZEEMYSh Y6HSY1uH87BtCJBM8/2cI7AvfcIzd+19663cyYTaeQ7WphjOfNdRrXFPs88zsJKTw+37HTsLnlE ES9M= X-Google-Smtp-Source: AGHT+IGGkOlaE/Visy0AHLW+sc9tEaIwdvOqL7gTv9DHkH6Lh/xM9If3z8EKSEbDsRCPTKj1XObuGg== X-Received: by 2002:a05:6a00:3904:b0:6e8:ad8d:555d with SMTP id fh4-20020a056a00390400b006e8ad8d555dmr16892058pfb.20.1712113920711; Tue, 02 Apr 2024 20:12:00 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.11.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:00 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Date: Tue, 2 Apr 2024 17:11:46 -1000 Message-Id: <15abae1f6a9861e28ce35b015cb3ddc434f9fca4.1712113689.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197886 From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-6277 CVE-2023-52356 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a & https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa & https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 & https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a & https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2023-52356.patch | 53 +++++ .../libtiff/files/CVE-2023-6277-1.patch | 191 ++++++++++++++++++ .../libtiff/files/CVE-2023-6277-2.patch | 152 ++++++++++++++ .../libtiff/files/CVE-2023-6277-3.patch | 46 +++++ .../libtiff/files/CVE-2023-6277-4.patch | 94 +++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 + 6 files changed, 541 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch @@ -0,0 +1,53 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 15:58:41 +0100 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] +CVE: CVE-2023-52356 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + + +--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c ++++ tiff-4.1.0+git191117/libtiff/tif_getimage.c +@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r + } + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { ++ if (row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } + + img.row_offset = row; + img.col_offset = 0; +@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co + return( 0 ); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..e955b3f2e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch @@ -0,0 +1,191 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . included inttypes.h header to support PRIu32 and PRIu64; + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); + . calls to the check size, that is the idea of the patch, were added before + _TIFFCheckMalloc and may note match the original patch methods; +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 31 Oct 2023 15:43:29 +0000 +Subject: [PATCH] Prevent some out-of-memory attacks + +Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. + +At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. + +See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 90 insertions(+), 2 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -37,6 +37,7 @@ + #include "tiffiop.h" + #include + #include ++#include + + #define FAILED_FII ((uint32) -1) + +@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead + datasize=(*count)*typesize; + assert((tmsize_t)datasize>0); + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. ++ */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } ++ + if( isMapped(tif) && datasize > (uint32)tif->tif_size ) + return TIFFReadDirEntryErrIo; + +@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + if( !_TIFFFillStrilesInternal( tif, 0 ) ) + return -1; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } ++ + if (td->td_stripbytecount_p) + _TIFFfree(td->td_stripbytecount_p); + td->td_stripbytecount_p = (uint64*) +@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + + if (td->td_compression != COMPRESSION_NONE) { + uint64 space; +- uint64 filesize; + uint16 n; +- filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags&TIFF_BIGTIFF)) + space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; + else +@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); + if (origdir == NULL) +@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + "Sanity check on directory count failed, zero tag directories not supported"); + return 0; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, + "to read TIFF directory"); +@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + } + } + } ++ /* No check against filesize needed here because "dir" should have same size ++ * than "origdir" checked above. */ + dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, + sizeof(TIFFDirEntry), + "to read TIFF directory"); +@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn + _TIFFfree(data); + return(0); + } +- ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)nstrips * sizeof(uint64); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfree(data); ++ return (0); ++ } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); + if (resizeddata==0) { + _TIFFfree(data); +@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI + } + bytecount = last_offset + last_bytecount - offset; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of StripByteCount and StripOffset tags is not greater than ++ * file size. ++ */ ++ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; ++ uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..644b3fdb3f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch @@ -0,0 +1,152 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 19:47:22 +0100 +Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough + RAM requests + +Ammends 5320c9d89c054fa805d037d84c57da874470b01a + +This fixes a performance regression caught by the GDAL regression test +suite. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------ + 1 file changed, 48 insertions(+), 35 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead + datasize=(*count)*typesize; + assert((tmsize_t)datasize>0); + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. +- */ +- uint64 filesize = TIFFGetFileSize(tif); +- if (datasize > filesize) ++ if (datasize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", +- "Requested memory size for tag %d (0x%x) %" PRIu32 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, tag not read", +- direntry->tdir_tag, direntry->tdir_tag, datasize, +- filesize); +- return (TIFFReadDirEntryErrAlloc); ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } + } + + if( isMapped(tif) && datasize > (uint32)tif->tif_size ) +@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + if( !_TIFFFillStrilesInternal( tif, 0 ) ) + return -1; + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); ++ uint64 filesize = 0; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripByteCounts of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return -1; ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greater than filesize %" PRIu64 ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } + } + + if (td->td_stripbytecount_p) +@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + return -1; + space+=datasize; + } ++ if (filesize == 0) ++ filesize = TIFFGetFileSize(tif); + if( filesize < space ) +- /* we should perhaps return in error ? */ +- space = filesize; +- else +- space = filesize - space; ++ /* we should perhaps return in error ? */ ++ space = filesize; ++ else ++ space = filesize - space; + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) + space /= td->td_samplesperpixel; + for (strip = 0; strip < td->td_nstrips; strip++) +@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)dircount16 * dirsize; +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt( +- tif->tif_clientdata, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch new file mode 100644 index 0000000000..ed7d7e7b96 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch @@ -0,0 +1,46 @@ +Backport of: + +From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 20:13:45 +0100 +Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize + check + +CoverityScan rightly points that the max value for dircount16 * dirsize +is 4096 * 20. That's small enough not to do any check + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_dirread.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } +- const uint64 allocsize = (uint64)dircount16 * dirsize; +- if (allocsize > 100 * 1024 * 1024) +- { +- /* Before allocating a huge amount of memory for corrupted files, +- * check if size of requested memory is not greater than file size. +- */ +- const uint64 filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) +- { +- TIFFWarningExt( +- tif->tif_clientdata, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greater than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; +- } +- } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); + if (origdir == NULL) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..1a43fd3230 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch @@ -0,0 +1,94 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 31 Oct 2023 21:30:58 +0100 +Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough + RAM requests + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri +--- + libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 23 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn + _TIFFfree(data); + return(0); + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)nstrips * sizeof(uint64); +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64); ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripArray of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- _TIFFfree(data); +- return (0); ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfree(data); ++ return (0); ++ } + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); + if (resizeddata==0) { +@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI + * size of StripByteCount and StripOffset tags is not greater than + * file size. + */ +- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; +- uint64 filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) +- { +- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", +- "Requested memory size for StripByteCount and " +- "StripOffsets %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return; ++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; ++ if (allocsize > 100 * 1024 * 1024) ++ { ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } + } + + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c739f3a7fa..7efaba3a38 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -49,6 +49,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-41175.patch \ file://CVE-2022-40090.patch \ file://CVE-2023-6228.patch \ + file://CVE-2023-6277-1.patch \ + file://CVE-2023-6277-2.patch \ + file://CVE-2023-6277-3.patch \ + file://CVE-2023-6277-4.patch \ + file://CVE-2023-52356.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Wed Apr 3 03:11:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41933 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8F832C6FD1F for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web10.2730.1712113923510483682 for ; Tue, 02 Apr 2024 20:12:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Vs/7nTPJ; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6e6b22af648so414021b3a.0 for ; Tue, 02 Apr 2024 20:12:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113923; x=1712718723; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vAXBthLlpLDMfPkughrA8il4rX9c3rqOLlAiOQFPqAY=; b=Vs/7nTPJKi11AQ4LZjbcl5VN3GfF/nbbQvljOUa+1TbU3M4jgwrwaX9K9u2468UCeV OyC+Al5jDn2ctB8ucXmHhU9lN9/FH+dXi4LxncxCjCa0FV0F13dyYmvOnxbxq162nf5e 7+xqK31wt066a9Us2XOI3wJgMNXdQMndOW5jiwkD/yyQ6G+Z7qhPcoxWutstnbF7mAYU 1xA5hFyvTbx1gdt3slfDcc2APgJT5EV3f3e+kCzJWSaYuhkMwVqkjD/vv24OXMPRBsq8 WVqDDa380sFPJLtnszDFG8LpQ+ch1qk/WmfWKDyPvru0MiEcozRhTCBixuHk4BKVoVr3 kQJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113923; x=1712718723; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vAXBthLlpLDMfPkughrA8il4rX9c3rqOLlAiOQFPqAY=; b=OHUzZvruKjFbIOhcBfL/pRElHLO7pOYQ5xw3aMAvkpEhxNQyHfLV/M9yEtxseeank1 qs32FI199LNfjUY4v8jH2UO1a3bIwRfXIiNkGLn/SflWwYTATSubsm93oWmsmX+Hr9XJ R6mC36ZUOI3jGuX0dO+oiIZAMER60Rd2rma0MSnw3t9I3NwNIpVSTIYEbf/RSuHQoDzC ciQjRsJF2mXKB3jlSC/6KPziUjINJKroAtoti6lDfvQEOzlyKQdaD8xTd4GAz30e4JpN ZJLPHhice+WAnpSpwPr7dE2Ec8aIoBZh4rqHWSB+4gre9bhI8uWZdwDVLccTkhmiPfYw KXkA== X-Gm-Message-State: AOJu0YxV1mfQsq3gPoM2ndxRsFYHPuwAqZ75L9CNdFQkqAgb3JTW90sg 6Kv8UIkRKUkrbqpOMKwBrx3u5f2HdfLXaoqHusGAIgjBLENqC9tvG7wbAhDZTAqFQREQudKeV5m XDow= X-Google-Smtp-Source: AGHT+IHiV5Qe5hR7wKKbkfnzcpQ6/Y8IuZwcBRdg8tVwTkXlL23MkzitdWAIlEzJ8hyWpiFVOV/DlA== X-Received: by 2002:a05:6a20:3ca0:b0:1a3:4e27:c8d1 with SMTP id b32-20020a056a203ca000b001a34e27c8d1mr1652181pzj.25.1712113922328; Tue, 02 Apr 2024 20:12:02 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Date: Tue, 2 Apr 2024 17:11:47 -1000 Message-Id: <2bc50dccff15b9c4ad815092ef20caa3ef06864c.1712113689.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197887 From: Vijay Anusuri Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 & https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 & https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 3 + .../go/go-1.14/CVE-2023-45289.patch | 121 ++++++++ .../go/go-1.14/CVE-2023-45290.patch | 271 ++++++++++++++++++ .../go/go-1.14/CVE-2024-24785.patch | 197 +++++++++++++ 4 files changed, 592 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 4fbf9d7590..69b65f3eb2 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -88,6 +88,9 @@ SRC_URI += "\ file://CVE-2023-45287-pre2.patch \ file://CVE-2023-45287-pre3.patch \ file://CVE-2023-45287.patch \ + file://CVE-2023-45289.patch \ + file://CVE-2023-45290.patch \ + file://CVE-2024-24785.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch new file mode 100644 index 0000000000..13d3510504 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch @@ -0,0 +1,121 @@ +From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Thu, 11 Jan 2024 11:31:57 -0800 +Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid + subdomain matches on IPv6 zones + +When deciding whether to forward cookies or sensitive headers +across a redirect, do not attempt to interpret an IPv6 address +as a domain name. + +Avoids a case where a maliciously-crafted redirect to an +IPv6 address with a scoped addressing zone could be +misinterpreted as a within-domain redirect. For example, +we could interpret "::1%.www.example.com" as a subdomain +of "www.example.com". + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes CVE-2023-45289 +Fixes #65385 +For #65065 + +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 +Reviewed-by: Tatiana Bradley +Reviewed-by: Roland Shoemaker +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 +Reviewed-by: Carlos Amedee +Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 +Reviewed-by: Carlos Amedee +Auto-Submit: Michael Knyszek +TryBot-Bypass: Michael Knyszek + +Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1] +CVE: CVE-2023-45289 +Signed-off-by: Vijay Anusuri +--- + src/net/http/client.go | 6 ++++++ + src/net/http/client_test.go | 1 + + src/net/http/cookiejar/jar.go | 7 +++++++ + src/net/http/cookiejar/jar_test.go | 10 ++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/src/net/http/client.go b/src/net/http/client.go +index a496f1c..2031834 100644 +--- a/src/net/http/client.go ++++ b/src/net/http/client.go +@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool { + if sub == parent { + return true + } ++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). ++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. ++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". ++ if strings.ContainsAny(sub, ":%") { ++ return false ++ } + // If sub is "foo.example.com" and parent is "example.com", + // that means sub must end in "."+parent. + // Do it without allocating. +diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go +index 2b4f53f..442fe35 100644 +--- a/src/net/http/client_test.go ++++ b/src/net/http/client_test.go +@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { + {"cookie2", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://bar.com/", false}, + {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, ++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, + + // But subdomains should work: + {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, +diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go +index 9f19917..18cbfc2 100644 +--- a/src/net/http/cookiejar/jar.go ++++ b/src/net/http/cookiejar/jar.go +@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string { + + // isIP reports whether host is an IP address. + func isIP(host string) bool { ++ if strings.ContainsAny(host, ":%") { ++ // Probable IPv6 address. ++ // Hostnames can't contain : or %, so this is definitely not a valid host. ++ // Treating it as an IP is the more conservative option, and avoids the risk ++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com. ++ return true ++ } + return net.ParseIP(host) != nil + } + +diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go +index 47fb1ab..fd8d40e 100644 +--- a/src/net/http/cookiejar/jar_test.go ++++ b/src/net/http/cookiejar/jar_test.go +@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{ + "127.0.0.1": true, + "1.2.3.4": true, + "2001:4860:0:2001::68": true, ++ "::1%zone": true, + "example.com": false, + "1.1.1.300": false, + "www.foo.bar.net": false, +@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{ + {"http://www.host.test:1234/", "a=1"}, + }, + }, ++ { ++ "IPv6 zone is not treated as a host.", ++ "https://example.com/", ++ []string{"a=1"}, ++ "a=1", ++ []query{ ++ {"https://[::1%25.example.com]:80/", ""}, ++ }, ++ }, + } + + func TestBasics(t *testing.T) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch new file mode 100644 index 0000000000..ddc2f67c96 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch @@ -0,0 +1,271 @@ +From bf80213b121074f4ad9b449410a4d13bae5e9be0 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Tue, 16 Jan 2024 15:37:52 -0800 +Subject: [PATCH] [release-branch.go1.21] net/textproto, mime/multipart: avoid + unbounded read in MIME header + +mime/multipart.Reader.ReadForm allows specifying the maximum amount +of memory that will be consumed by the form. While this limit is +correctly applied to the parsed form data structure, it was not +being applied to individual header lines in a form. + +For example, when presented with a form containing a header line +that never ends, ReadForm will continue to read the line until it +runs out of memory. + +Limit the amount of data consumed when reading a header. + +Fixes CVE-2023-45290 +Fixes #65389 +For #65383 + +Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776 +Reviewed-by: Carlos Amedee +Reviewed-on: https://go-review.googlesource.com/c/go/+/569240 +Auto-Submit: Michael Knyszek +LUCI-TryBot-Result: Go LUCI +Reviewed-by: Carlos Amedee + +Upstream-Status: Backport [https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0] +CVE: CVE-2023-45290 +Signed-off-by: Vijay Anusuri +--- + src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++ + src/net/textproto/reader.go | 48 ++++++++++++++++++++--------- + src/net/textproto/reader_test.go | 12 ++++++++ + 3 files changed, 87 insertions(+), 15 deletions(-) + +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index c78eeb7..f729da6 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) { + } + } + ++func TestReadFormEndlessHeaderLine(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ prefix string ++ }{{ ++ name: "name", ++ prefix: "X-", ++ }, { ++ name: "value", ++ prefix: "X-Header: ", ++ }, { ++ name: "continuation", ++ prefix: "X-Header: foo\r\n ", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ const eol = "\r\n" ++ s := `--boundary` + eol ++ s += `Content-Disposition: form-data; name="a"` + eol ++ s += `Content-Type: text/plain` + eol ++ s += test.prefix ++ fr := io.MultiReader( ++ strings.NewReader(s), ++ neverendingReader('X'), ++ ) ++ r := NewReader(fr, "boundary") ++ _, err := r.ReadForm(1 << 20) ++ if err != ErrMessageTooLarge { ++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++type neverendingReader byte ++ ++func (r neverendingReader) Read(p []byte) (n int, err error) { ++ for i := range p { ++ p[i] = byte(r) ++ } ++ return len(p), nil ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index ad2d777..cea6613 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -17,6 +17,10 @@ import ( + "sync" + ) + ++// TODO: This should be a distinguishable error (ErrMessageTooLarge) ++// to allow mime/multipart to detect it. ++var errMessageTooLarge = errors.New("message too large") ++ + // A Reader implements convenience methods for reading requests + // or responses from a text protocol network connection. + type Reader struct { +@@ -38,13 +42,13 @@ func NewReader(r *bufio.Reader) *Reader { + // ReadLine reads a single line from r, + // eliding the final \n or \r\n from the returned string. + func (r *Reader) ReadLine() (string, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + return string(line), err + } + + // ReadLineBytes is like ReadLine but returns a []byte instead of a string. + func (r *Reader) ReadLineBytes() ([]byte, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -53,7 +57,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) { + return line, err + } + +-func (r *Reader) readLineSlice() ([]byte, error) { ++// readLineSlice reads a single line from r, ++// up to lim bytes long (or unlimited if lim is less than 0), ++// eliding the final \r or \r\n from the returned string. ++func (r *Reader) readLineSlice(lim int64) ([]byte, error) { + r.closeDot() + var line []byte + for { +@@ -61,6 +68,9 @@ func (r *Reader) readLineSlice() ([]byte, error) { + if err != nil { + return nil, err + } ++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim { ++ return nil, errMessageTooLarge ++ } + // Avoid the copy if the first call produced a full line. + if line == nil && !more { + return l, nil +@@ -93,7 +103,7 @@ func (r *Reader) readLineSlice() ([]byte, error) { + // A line consisting of only white space is never continued. + // + func (r *Reader) ReadContinuedLine() (string, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + return string(line), err + } + +@@ -114,7 +124,7 @@ func trim(s []byte) []byte { + // ReadContinuedLineBytes is like ReadContinuedLine but + // returns a []byte instead of a string. + func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -127,13 +137,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { + // returning a byte slice with all lines. The validateFirstLine function + // is run on the first read line, and if it returns an error then this + // error is returned from readContinuedLineSlice. +-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) { ++// It reads up to lim bytes of data (or unlimited if lim is less than 0). ++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) { + if validateFirstLine == nil { + return nil, fmt.Errorf("missing validateFirstLine func") + } + + // Read the first line. +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(lim) + if err != nil { + return nil, err + } +@@ -161,13 +172,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([ + // copy the slice into buf. + r.buf = append(r.buf[:0], trim(line)...) + ++ if lim < 0 { ++ lim = math.MaxInt64 ++ } ++ lim -= int64(len(r.buf)) ++ + // Read continuation lines. + for r.skipSpace() > 0 { +- line, err := r.readLineSlice() ++ r.buf = append(r.buf, ' ') ++ if int64(len(r.buf)) >= lim { ++ return nil, errMessageTooLarge ++ } ++ line, err := r.readLineSlice(lim - int64(len(r.buf))) + if err != nil { + break + } +- r.buf = append(r.buf, ' ') + r.buf = append(r.buf, trim(line)...) + } + return r.buf, nil +@@ -512,7 +531,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { +- line, err := r.readLineSlice() ++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote ++ line, err := r.readLineSlice(errorLimit) + if err != nil { + return m, err + } +@@ -520,7 +540,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + + for { +- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon) ++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon) + if len(kv) == 0 { + return m, err + } +@@ -541,7 +561,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + maxHeaders-- + if maxHeaders < 0 { +- return nil, errors.New("message too large") ++ return nil, errMessageTooLarge + } + + // backport 5c55ac9bf1e5f779220294c843526536605f42ab +@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + maxMemory -= int64(len(value)) + if maxMemory < 0 { +- // TODO: This should be a distinguishable error (ErrMessageTooLarge) +- // to allow mime/multipart to detect it. +- return m, errors.New("message too large") ++ return m, errMessageTooLarge + } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3ae0de1..db1ed91 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) { + } + } + ++func TestReadLineLongLine(t *testing.T) { ++ line := strings.Repeat("12345", 10000) ++ r := reader(line + "\r\n") ++ s, err := r.ReadLine() ++ if err != nil { ++ t.Fatalf("Line 1: %v", err) ++ } ++ if s != line { ++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line)) ++ } ++} ++ + func TestReadContinuedLine(t *testing.T) { + r := reader("line1\nline\n 2\nline3\n") + s, err := r.ReadContinuedLine() +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch new file mode 100644 index 0000000000..1398a2ca48 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch @@ -0,0 +1,197 @@ +From 3643147a29352ca2894fd5d0d2069bc4b4335a7e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 14 Feb 2024 17:18:36 -0800 +Subject: [PATCH] [release-branch.go1.21] html/template: escape additional + tokens in MarshalJSON errors + +Escape " +Reviewed-by: Damien Neil +(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa) +Reviewed-on: https://go-review.googlesource.com/c/go/+/567515 +Reviewed-by: Carlos Amedee + +Upstream-Status: Backport [https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e] +CVE: CVE-2024-24785 +Signed-off-by: Vijay Anusuri +--- + src/html/template/js.go | 22 ++++++++- + src/html/template/js_test.go | 96 ++++++++++++++++++++---------------- + 2 files changed, 74 insertions(+), 44 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 35994f0..4d3b25d 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string { + // cyclic data. This may be an unacceptable DoS risk. + b, err := json.Marshal(a) + if err != nil { +- // Put a space before comment so that if it is flush against ++ // While the standard JSON marshaller does not include user controlled ++ // information in the error message, if a type has a MarshalJSON method, ++ // the content of the error message is not guaranteed. Since we insert ++ // the error into the template, as part of a comment, we attempt to ++ // prevent the error from either terminating the comment, or the script ++ // block itself. ++ // ++ // In particular we: ++ // * replace "*/" comment end tokens with "* /", which does not ++ // terminate the comment ++ // * replace " 1 so this loses precision in JS + // but it is still a representable integer literal. +- {uint64(1)<<53 + 1, " 9007199254740993 "}, +- {float32(1.0), " 1 "}, +- {float32(-1.0), " -1 "}, +- {float32(0.5), " 0.5 "}, +- {float32(-0.5), " -0.5 "}, +- {float32(1.0) / float32(256), " 0.00390625 "}, +- {float32(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {float64(1.0), " 1 "}, +- {float64(-1.0), " -1 "}, +- {float64(0.5), " 0.5 "}, +- {float64(-0.5), " -0.5 "}, +- {float64(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {"", `""`}, +- {"foo", `"foo"`}, ++ {uint64(1)<<53 + 1, " 9007199254740993 ", false}, ++ {float32(1.0), " 1 ", false}, ++ {float32(-1.0), " -1 ", false}, ++ {float32(0.5), " 0.5 ", false}, ++ {float32(-0.5), " -0.5 ", false}, ++ {float32(1.0) / float32(256), " 0.00390625 ", false}, ++ {float32(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {float64(1.0), " 1 ", false}, ++ {float64(-1.0), " -1 ", false}, ++ {float64(0.5), " 0.5 ", false}, ++ {float64(-0.5), " -0.5 ", false}, ++ {float64(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {"", `""`, false}, ++ {"foo", `"foo"`, false}, + // Newlines. +- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, ++ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false}, + // "\v" == "v" on IE 6 so use "\u000b" instead. +- {"\t\x0b", `"\t\u000b"`}, +- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, +- {[]interface{}{}, "[]"}, +- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`}, +- {[]string{""}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`}, +- {"", `"--\u003e"`}, +- {"", `"]]\u003e"`}, +- {"", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false}, ++ {"", `"--\u003e"`, false}, ++ {"", `"]]\u003e"`, false}, ++ {" X-Patchwork-Id: 41932 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AFF9CD11C2 for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web10.2731.1712113924638635487 for ; Tue, 02 Apr 2024 20:12:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nu1v3GLz; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-6ea9a605ca7so392604b3a.0 for ; Tue, 02 Apr 2024 20:12:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113924; x=1712718724; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mNe71cMmGsyscBrafGAdi/BCLM0VSHlr0LfcOPE8iPQ=; b=nu1v3GLzeg7iADa4pJYiHWywQ3SBDI5YKmQgu+6IZcxzkvJJ3lo1GZQ/KF57KkI98X 5GlaOwVPK3QnJLoXcWuTkGsBUDvbCr1GpURARdroecxjUV86/6e7niSLFpt0ddFL7hdL SlQwOnkqfd+q1VL3MeHPrDzfxVcTfKCNK/e1TfaT6QsMmHe0ERovqusYf+SzF/LH0774 wsRQWgKECmxEcNf6tJ5KAsOVx4R25+sQz5zZ0rg7VqIWbzrHpKfNimJlNmrQ3Zfvc7vr 08r4oUdxDILx9+bP6Gpldf1peDUWnyGIczA4GbxhfL40URn2YO1UWJPxfJiZa/hQGwRE h5Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113924; x=1712718724; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mNe71cMmGsyscBrafGAdi/BCLM0VSHlr0LfcOPE8iPQ=; b=PDFDzl42Db4v9nWLluwPOs1q/9D2IcurVPVDKBssy986Bkocy0AhOAjHa3sjjtFe24 5vU9qocMXkGVRJBwZla5sCf+0PawFui2cORppAORQuLK00kuvZWb+tn/rQ6yWRrgTVrL qvww+ufnIgh2nJRswxCsiqdG/RRS0447t5IZ8+EdY+HXqhbk54J426PuzCE+K9b3vMXZ uMPF+Fv8ntW+wXWdAjBHhmGiJusbj7Zy3UlKbx85tJvHWHKyK04AnaDfURH8ppUys1mO Am7r8tB1aTl6DuylIkG42xWZYY6If7j+QLSnHhU3Dd1dDiStTjgbVeGGoa+x4F9pTI+h NCOg== X-Gm-Message-State: AOJu0YxYVIASHTmg764RRKcXfTgXDT+FEf9ibT39N9oD2uCirWFtf4L+ PbLLuskuMka08bbzp9Tk7tp4ZzroHWr4fVeZI8XvtEBBnbTqI1RrjYd1H9qBQ7xPbd4hwMxeSNM 6p1g= X-Google-Smtp-Source: AGHT+IHfAcOBAdGpvPTw/alR0OdJr0w0dw6PxDgHvlHC0A6pzZa+l4Dq3trF6iixW33FHiS8jlXgiw== X-Received: by 2002:a05:6a20:7d8d:b0:1a3:7091:2b65 with SMTP id v13-20020a056a207d8d00b001a370912b65mr1874245pzj.5.1712113923953; Tue, 02 Apr 2024 20:12:03 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:03 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Date: Tue, 2 Apr 2024 17:11:48 -1000 Message-Id: <082c31db387957963952c485a436dc38a64498d0.1712113689.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197888 From: Vijay Anusuri Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../tar/tar/CVE-2023-39804.patch | 64 +++++++++++++++++++ meta/recipes-extended/tar/tar_1.32.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch @@ -0,0 +1,64 @@ +From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4] +CVE: CVE-2023-39804 +Signed-off-by: Vijay Anusuri +--- + src/xheader.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b2..3cd694d 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, + char const *keyword, char const *arg, size_t size) + { + char *xstr, *xkey; +- ++ + /* copy keyword */ +- size_t klen_raw = strlen (keyword); +- xkey = alloca (klen_raw + 1); +- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; ++ xkey = xstrdup (keyword); + + /* copy value */ +- xstr = alloca (size + 1); ++ xstr = xmalloc (size + 1); + memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; + + xattr_decode_keyword (xkey); + +- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); ++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); ++ ++ free (xkey); ++ free (xstr); + } + + static void +-- +cgit v1.1 + diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index 1246f01256..c560741599 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ file://CVE-2021-20193.patch \ file://CVE-2022-48303.patch \ + file://CVE-2023-39804.patch \ " SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" From patchwork Wed Apr 3 03:11:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41937 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E8DACD1294 for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.2732.1712113926122121465 for ; Tue, 02 Apr 2024 20:12:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=XBYj0czD; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6ea9a605ca7so392617b3a.0 for ; Tue, 02 Apr 2024 20:12:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113925; x=1712718725; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PKRzdBVs3X8RT5czHnrwHFXxylw07W+lr/AI5Tu73Ao=; b=XBYj0czDUlBbRrXZhyvMC+KSu7WGDnkq8xEY7qjFxJtitHRSZtfLO5oBBqwZDYPOs/ NEcuMrpXGh7XP/5g4KHTTn4Rls012Y32fwj3nNBj11hafo3+fv9kOlNO1OUdhm33FTeP r3hGxR73Szs9MJCweQkxeRmzVg8VATVQ+f//8q7ScaJY449G/GK0oUyxwB4COrBtf0yl QQ+F88ikl3ytg3CPNYphHrDbIFfN8EPjbtO7xBatI+Cdn7/xgWBm0q0bD5l3kMhmCQch 9dk/MwHrrMS0JZjSdGn7O+wyjdOMGUNwRWm8YtkmO0CZn17jpAoYlTTLbPl3ulIszyNa cnlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113925; x=1712718725; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PKRzdBVs3X8RT5czHnrwHFXxylw07W+lr/AI5Tu73Ao=; b=HbD5qPma6YFv9ayCzr4x3L+75mWRO653lLu+Bl5DfvcZgmnjtRRGveEt7tO4qv5tXQ o2VNs/VsZkJ4mtLtygWzXXMW639RzmCMUQoTIJtioii/rfxx8lVoHeaTo/nwK1TLCy2b ew3kUMc0EhKBSYB5HgOESlDh+DDNSzGa5PGE/w5V75L21DEomxHN8TAUDRRS8BjhKNre iabBRVcziLqwZ5BYLw/n+OgiJ02QsZtdvMr/EGoa/LmRuskDzqviyk+Wk1jnqpvxoZWr n1Tdn+45oZlf7K8Gb1DhC9yGhlMJI8yUcgcovwpPbXFfs1bfextQIoT8Jeck6swhoH9p K3Nw== X-Gm-Message-State: AOJu0Yyx66Cpy3joAydsPMpcOwvfQi0YVSD6JlrDeKoGIoUqCEQUtA2E hXI7s58EpTkH8QY6mcp6fjlKE3BYnZpsM8wPWzjux/CETPjSnK2K8QZk49GuNjtOvvT5IarQLUW nUKk= X-Google-Smtp-Source: AGHT+IH9GV2j4kpuFJ+GbHhb+VAVCUEQEGLX1Q4Y3Tcqw4iWZt2zoccAWXxBLz9UlkmNefipkr/Yeg== X-Received: by 2002:a05:6a20:c91b:b0:1a5:6b4e:37fb with SMTP id gx27-20020a056a20c91b00b001a56b4e37fbmr1369734pzb.9.1712113925408; Tue, 02 Apr 2024 20:12:05 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:05 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Date: Tue, 2 Apr 2024 17:11:49 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197889 From: Vijay Anusuri import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2024-2398.patch | 88 +++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch @@ -0,0 +1,88 @@ +Backport of: + +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] +CVE: CVE-2024-2398 +Signed-off-by: Vijay Anusuri +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc + } + + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; ipush_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static int push_promise(struct Curl_easy *data, + struct connectdata *conn, + const nghttp2_push_promise *frame) +@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; ipush_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + /* denied, kill off the new handle again */ +@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d + if(http->header_recvbuf) { + Curl_add_buffer_free(&http->header_recvbuf); + Curl_add_buffer_free(&http->trailer_recvbuf); +- if(http->push_headers) { +- /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; +- } ++ free_push_headers(http); + } + + if(!httpc->h2) /* not HTTP/2 ? */ diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 980b4224a8..2f351d585a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -58,6 +58,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2023-28321.patch \ file://CVE-2023-28322.patch \ file://CVE-2023-46218.patch \ + file://CVE-2024-2398.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" From patchwork Wed Apr 3 03:11:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41936 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACA91CD1284 for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web11.2637.1712113927791351144 for ; Tue, 02 Apr 2024 20:12:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0GuqD1Ao; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-6e6bee809b8so5563546b3a.1 for ; Tue, 02 Apr 2024 20:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113927; x=1712718727; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=kNLdOP103RakbK13QbizlDENfAV05Dv7vHxjTVr7tRE=; b=0GuqD1AoCZNRKh8Qn5x9TgMwKB1RG98NItTZAugDegPvs8iey5isdYyYulaiQ3DXAm 7dVuzz9qUQevPltcpvK/OCAKJ+oEtBDzaF0PXCA/gwWJwT3/tu2NTavjlC1W+eG/HjZf mUYITs1sk5CgeGuCzAivKj9+gUU3FtS5H/2fPsGtFfWMcWHAo68a+wg5dWoAPHQTps1R BYcItdhy/YjbODt0I2K1a6Hm/cnn7vHInKZQ3gMeyE70ESFgIEF9rsgBpxi+cOtojRSk OA8BVgvg0slHPOUxxFOfsJIUOlb7Ypz3JuaH/NdfPd485gAsjhCyHLfAyhPNbg9/Mn5a tGJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113927; x=1712718727; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kNLdOP103RakbK13QbizlDENfAV05Dv7vHxjTVr7tRE=; b=aoRmVbM/3+G2e8pZk28AvNzpcY8Nyix4sw+CXetCVpn945mM2qh6+LW0Pr27Emtv1U o8B/mkgk4HBCo/TRqtn9HQrA+ovfaajuT8C97HTOJ13P1kIO0LLFHp/anq+enFag9fN4 3BXE8mBoGAlEQ+AN0+qOgnUqSdpgIqHcnwa5qgnkFqH6/BIH3njYcf9L73lUvTDHxzlg K2aSABGylMcglFrGYQy++Y+vVvBGYrRYR1dRXWjZWXOqizrwoCaWKkdQYb5aUnhvrDQb h/BwhivJPOInNVtbNaJVzzuME+indMD24M1JOBmjNevnT0K31nIDJvuAjhVfO9tPlzga ReaQ== X-Gm-Message-State: AOJu0Yz8z6MvXDNOXvZKGF1GOFXazObcRHOLyNmrCa0csSewKNT0sUDV pTj6e7Wgu80D3hOxegodWw+EZjmvRzAOy8i3oqrXWPFKv67KcG+M8DcB1Gda45cnHuGWry62T7L 16AY= X-Google-Smtp-Source: AGHT+IGQcowzRlBO3S/ndglPhhwCssZQknnAGKRi/Q0lNN9ZthgTQYerTRIeGNPGjV0YIJ+HaoHwYg== X-Received: by 2002:a05:6a00:4f93:b0:6e6:f9b6:4b1a with SMTP id ld19-20020a056a004f9300b006e6f9b64b1amr16849479pfb.11.1712113927004; Tue, 02 Apr 2024 20:12:07 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Date: Tue, 2 Apr 2024 17:11:50 -1000 Message-Id: <18eb56925878a67ca1d7ce3eb9092f611023bc23.1712113689.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197890 From: virendra thakur PKCS12 structures contain PKCS7 ContentInfo fields. These fields are optional and can be NULL even if the "type" is a valid value. OpenSSL was not properly accounting for this and a NULL dereference can occur causing a crash. Signed-off-by: virendra thakur Signed-off-by: Steve Sakoman --- .../openssl/openssl/CVE-2024-0727.patch | 122 ++++++++++++++++++ .../openssl/openssl_1.1.1w.bb | 1 + 2 files changed, 123 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch new file mode 100644 index 0000000000..3da6879ccb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch @@ -0,0 +1,122 @@ +Backport of: + +From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz +Reviewed-by: Hugo Landau +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23362) + +(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c] + +CVE: CVE-2024-0727 + +Signed-off-by: virendra thakur +--- + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, ++ PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, ++ PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + } +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (!p12->mac->iter) +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p + { + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(p7->type); +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb index 8a53b06862..0e490eabc3 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducibility.patch \ file://0001-Configure-add-2-missing-key-sorts.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2024-0727.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Wed Apr 3 03:11:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41934 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7C64CD1296 for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web11.2638.1712113929167827779 for ; Tue, 02 Apr 2024 20:12:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=DwZh3dl5; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-6e6f69e850bso6546482b3a.0 for ; Tue, 02 Apr 2024 20:12:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113928; x=1712718728; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=n/bCAw/8Z/WUI+iMwtdeFoGcdMDDV0pB3+hUu+rs9+M=; b=DwZh3dl5PTYUvnDeLVn20qOdw5MBejL8oydC6Aip8P78kdD2OCeI0bn+LnA5fEmYfM DHNybstrkBdQz+dZXGV496z1qytFuh8v7hf8sui5E2qhn5H9FHnXAdzR71MPEbMeesCg 66FmlXkYoCT1GS72rd4tNBSLlDv0lRZO87B9wWhVIEJXeth4G0wf0QRhyjONrPNOwbU3 AWoYRTIbhmLpdMGauBtJLVCGL+zhJB8hb8m7JgFHdLk4hgQW/QamRBJW+bU1V3WB9FAO irfx21nMQl/PBwIglf8ufzfUrnMSEIwoyIXwJN5CT73jx0H+vld98cjVxydN29fwvRUz Dwtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113928; x=1712718728; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n/bCAw/8Z/WUI+iMwtdeFoGcdMDDV0pB3+hUu+rs9+M=; b=cCJ7A5yg+OssZO7wy/zaqAw8S5EocTQ4FHT1Ab+Wx+Iutyz6uoMbAqTq4OSVOLbQn0 TpFbA9oSN2AY+WYekIJltC8dU5lZwlU/vsFmHTkQKhcarE/1c9xxhF8S2pZEPRpvAKS+ y6Bvr8SdtoH4OS/5vyO73+ZycsNDjBmBYVqortg0ZIqRUv7UN/tVMlMOh3jXnJUuN19m 6rKDNAADaYoopgEdrlauDv244Y97/ZRoZs1x26YNM+v3GtptIUohtuwuXiP2ud6kX9xC L+aDgd7wJ9tXW5irX7BCSM3aIkKSFt20f5CmrgnxJxppB9b8xe6iGrg4FwzW3/H7wFI2 U+zQ== X-Gm-Message-State: AOJu0YyVL/xVesdEjGRz3Sjo7TDswlRI5u+fWQwCNq5ObIAWgb56y8xu kRGCFIb6JhWqNPJTXzZoEIaaF2M4pewGlltvFcOsuZlR8LBoSpcvfOcmsTjflevuMK38uPeBDCX V2CU= X-Google-Smtp-Source: AGHT+IE2nnO3Oz7WJ4A47nw17i1HF8XyKceZ/+k8PAtJp/M+vPyKz3VAblZnGzSpue1IK1bJlvbQVA== X-Received: by 2002:a05:6a21:2d89:b0:1a7:2e1f:9549 with SMTP id ty9-20020a056a212d8900b001a72e1f9549mr43360pzb.61.1712113928513; Tue, 02 Apr 2024 20:12:08 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:08 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Date: Tue, 2 Apr 2024 17:11:51 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197891 Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman --- meta/recipes-extended/tar/tar_1.32.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index c560741599..9297480e85 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -6,6 +6,8 @@ SECTION = "base" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +PR = "r1" + SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ file://CVE-2021-20193.patch \ From patchwork Wed Apr 3 03:11:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41935 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCF38CD129A for ; Wed, 3 Apr 2024 03:12:13 +0000 (UTC) Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180]) by mx.groups.io with SMTP id smtpd.web11.2639.1712113930956241342 for ; Tue, 02 Apr 2024 20:12:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=uJlcqF8Y; spf=softfail (domain: sakoman.com, ip: 209.85.166.180, mailfrom: steve@sakoman.com) Received: by mail-il1-f180.google.com with SMTP id e9e14a558f8ab-3689933eb2dso26359275ab.1 for ; Tue, 02 Apr 2024 20:12:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712113930; x=1712718730; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=llI2NJ+fFbI6n+msuSLzENQKXt/oYbmzXWJdZ/z+E9M=; b=uJlcqF8YmKWVv+9vvbxO8IBNJ/zyXGxJ5s3JapiwqCb50VIudZKEUe1cXQiohQLKHc Gk2U7IWDVfJcNnuX5xKV1ZFsCTMZSKN58KtTzELzfB7CONPC0W8xPLUlfRxOvljId3vm TYvVPnyZ+5C7xA1j4nZUgYBMKVmkV8nMb7MAkb207nZ/sr0mghrZg8/7PebsgGqOjWBU 27eUoj39AlljW1CPWwa01O+R6wO3FntW7vhogN1q2cfuGZnmpeuGj/2JjYtazjKgVemp tY+V0BCwRmdmX1C7hBJMk8pBIL0dVcHBLTi3ERobTusEzpje/lDRAHWphmJR8Qs3TPL5 YbCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712113930; x=1712718730; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=llI2NJ+fFbI6n+msuSLzENQKXt/oYbmzXWJdZ/z+E9M=; b=dTZwjhFNJLq2//HmHtshe/s7rqDTUlLD4qO+NpOOHqYbgV8FMvd3wYRsB2WuUGju7f mIXy1tMOL4orZv2TRgWy/TnxZPSksQou2LgMWW9utfbSzKBo5PdDp7e/2BHsoTd7advw mUKulX0b1tUb/O7o1i3+OvlBdc33wN6H2vuAW9sygj4CTXcZ+/3GsOnw/y7dfFeu6lEy 7awioGxUJmAn1yjEY2jDcgLmFEeSXp+WAUztP3Dia8Woqm7XVspwg4CSNoWGUPiFfFv1 msYUFzq/GUYOjXxmyjsBqtBaU/Jht8fgwH3S2hDe/FtGyBgFtwWyKI6gFFsFMFho+Po0 ZBGQ== X-Gm-Message-State: AOJu0YxvPEEQAuTRJI8LTdhfDEgPfkaAdgGoZLsLhUkwovYIe982gwHX X2IjxAiQGwMPY/XwyFLd41cbVGCj2jKghNf/dOxlSfaA6tLWmyPSlUKbtJyH6/w9+s5fMgSLO4O WmeE= X-Google-Smtp-Source: AGHT+IEai9Ym85mPKaSKrOk1M8PmA+jd2IRMbit+ZekqmMzPXYzWMC04XsN1zPtYcy+dFAEijrZAFQ== X-Received: by 2002:a05:6e02:b2f:b0:369:eece:acb8 with SMTP id e15-20020a056e020b2f00b00369eeceacb8mr1149046ilu.4.1712113930096; Tue, 02 Apr 2024 20:12:10 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id x15-20020a63170f000000b005dc87f5dfcfsm10371743pgl.78.2024.04.02.20.12.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:12:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/7] perf: bump PR to deal with sstate corruption on autobuilder Date: Tue, 2 Apr 2024 17:11:52 -1000 Message-Id: <47ce772102b45db14dc21112367534ea1c37e33c.1712113689.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:12:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197892 Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman --- meta/recipes-kernel/perf/perf.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb index 91bf648caa..42621e47d3 100644 --- a/meta/recipes-kernel/perf/perf.bb +++ b/meta/recipes-kernel/perf/perf.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://perf.wiki.kernel.org/index.php/Main_Page" LICENSE = "GPLv2" -PR = "r9" +PR = "r10" PACKAGECONFIG ??= "scripting tui libunwind" PACKAGECONFIG[dwarf] = ",NO_DWARF=1"