From patchwork Wed Apr 3 03:46:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41939 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 215F3C6FD1F for ; Wed, 3 Apr 2024 03:47:14 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.3144.1712116031712129713 for ; Tue, 02 Apr 2024 20:47:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OSwWCGpc; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1e267238375so3834045ad.1 for ; Tue, 02 Apr 2024 20:47:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116031; x=1712720831; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=eKluYUEz/1qbhHAX6E+XI3kGXxKC4tslN926yVUxSiw=; b=OSwWCGpcDlIpynBbygT7l59Xr0+02dce7qgJfOL/AGdHf8v8MkM4+T5eVHp/jHh6VJ bA0ARzrojg/cOtZPeNBSkCWeGD7t5Joy2aw3SDFvrfBjSQj05p4duuGv1HoBdEem7tZL DYg2EzZOVHmLGZvAQNgA2gcg2htvmhn+e/v2JOCvyU1QQp94+cZStyxIdLLtZW2y0QXM tRppKhhx68Gj4hIPt2JhkXhNn3TGeKi2PLtfEl4VlxBRIJVJDgNoJjvAwJuxQXQkSpev IVNGLsejK54NXmzWFWa7poJia/UdRpoz9War/3RFo1RbMCE3N804OPa7n4lm6DEv6M4s ApPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712116031; x=1712720831; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eKluYUEz/1qbhHAX6E+XI3kGXxKC4tslN926yVUxSiw=; b=kpZP0DWFH5kH07rfIxv0vD2AomqcH5L+17Sa4OTErWKU7B92gEutqs15W+XJ9mt4Y4 DhR4jQgwpnwA0Sb2XuBPIvqEbG6OQ8vh+tIkswvHbPzPekpILEF+9i5xudL8ZpqyR4RU sBbfT8hHFTJPifsTg27pnQxAz2z3etANPDLM7Q7ZaCgRCORccVE/lsxVb5+HB39D/6Jo osQxDuDdHLx9GM8rD5f8VQiRk+PRlfgzgSnn8Dqrh2ENqJSPT3bsAKHzOaXLUqVNKWaL 9vSpu9BWYCR3BO8BmUVBzX/Dz7m+/R8TpkZP61VeTYOACGkDJaO2S/vqQPG+RluspgRE hlxw== X-Gm-Message-State: AOJu0YwLPUEh4x69uJVv94+u7dvmhNCuM84MDEr7qN1936UWY5HcBsLT MLQiFbulG9py8oDDYv9be8JeWPehqdMaTaTBQtwqrT2//xOBkTFJ9K0L/RK5BpTwCyp1ykYbv25 eSak= X-Google-Smtp-Source: AGHT+IEcU6TO5kWo/VMVQ1/MxRQWklYTJNCCiTnS/mR410KaWPKo885J1PXPs41qw1/vRnmE9847WQ== X-Received: by 2002:a17:902:dacd:b0:1e2:6482:db0f with SMTP id q13-20020a170902dacd00b001e26482db0fmr1752390plx.29.1712116030478; Tue, 02 Apr 2024 20:47:10 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:47:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487 Date: Tue, 2 Apr 2024 17:46:54 -1000 Message-Id: <0156b57dcdb2e5acdd9421a7c24c235f13da2d97.1712115855.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:47:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197894 From: aszh07 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. References: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 Signed-off-by: Zahir Hussain Signed-off-by: Steve Sakoman --- .../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++++++++++++++++++ .../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 + 2 files changed, 928 insertions(+) create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch new file mode 100644 index 0000000000..3cba83307c --- /dev/null +++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch @@ -0,0 +1,927 @@ +From 72b4af6143681f528f1d237b21a9a7aee1738832 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sun, 1 Oct 2023 00:05:01 +0900 +Subject: [PATCH] Rework session management + +CVE: CVE-2023-44487 + +Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832] + +Signed-off-by: Zahir Hussain zahir.basha@kpit.com +Signed-off-by: aszh07 +--- +CMakeLists.txt | 4 ++ +cmakeconfig.h.in | 9 +++ +configure.ac | 21 +++++++ +doc/Makefile.am | 1 + +lib/CMakeLists.txt | 2 + +lib/Makefile.am | 4 ++ +lib/includes/nghttp2/nghttp2.h | 17 ++++++ +lib/nghttp2_option.c | 7 +++ +lib/nghttp2_ratelim.c | 75 ++++++++++++++++++++++++ +lib/nghttp2_ratelim.h | 57 ++++++++++++++++++ +lib/nghttp2_session.c | 34 ++++++++++- +lib/nghttp2_session.h | 12 +++- +lib/nghttp2_time.c | 62 ++++++++++++++++++++ +lib/nghttp2_time.h | 38 ++++++++++++ +tests/nghttp2_ratelim_test.c | 101 ++++++++++++++++++++++++++++++++ +tests/nghttp2_ratelim_test.h | 35 +++++++++++ +tests/nghttp2_session_test.c | 103 +++++++++++++++++++++++++++++++++ +tests/nghttp2_session_test.h | 1 + +tests/CMakeLists.txt | 1 + +tests/Makefile.am | 6 +- +lib/nghttp2_option.h | 6 ++ +tests/main.c | 7 ++- +22 files changed, 598 insertions(+), 5 deletions(-) +create mode 100644 lib/nghttp2_ratelim.c +create mode 100644 lib/nghttp2_ratelim.h +create mode 100644 lib/nghttp2_time.c +create mode 100644 lib/nghttp2_time.h +create mode 100644 tests/nghttp2_ratelim_test.c +create mode 100644 tests/nghttp2_ratelim_test.h + +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -262,6 +262,7 @@ check_include_file("netinet/in.h" HAVE + check_include_file("pwd.h" HAVE_PWD_H) + check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H) + check_include_file("sys/time.h" HAVE_SYS_TIME_H) ++check_include_file("sysinfoapi.h" HAVE_SYSINFOAPI_H) + check_include_file("syslog.h" HAVE_SYSLOG_H) + check_include_file("time.h" HAVE_TIME_H) + check_include_file("unistd.h" HAVE_UNISTD_H) +@@ -302,8 +303,11 @@ check_type_size("time_t" SIZEOF_TIME_T) + include(CheckFunctionExists) + check_function_exists(_Exit HAVE__EXIT) + check_function_exists(accept4 HAVE_ACCEPT4) ++check_function_exists(clock_gettime HAVE_CLOCK_GETTIME) + check_function_exists(mkostemp HAVE_MKOSTEMP) + ++check_symbol_exists(GetTickCount64 sysinfoapi.h HAVE_GETTICKCOUNT64) ++ + include(CheckSymbolExists) + # XXX does this correctly detect initgroups (un)availability on cygwin? + check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS) +--- a/cmakeconfig.h.in ++++ b/cmakeconfig.h.in +@@ -34,9 +34,15 @@ + /* Define to 1 if you have the `accept4` function. */ + #cmakedefine HAVE_ACCEPT4 1 + ++/* Define to 1 if you have the `clock_gettime` function. */ ++#cmakedefine HAVE_CLOCK_GETTIME 1 ++ + /* Define to 1 if you have the `mkostemp` function. */ + #cmakedefine HAVE_MKOSTEMP 1 + ++/* Define to 1 if you have the `GetTickCount64` function. */ ++#cmakedefine HAVE_GETTICKCOUNT64 1 ++ + /* Define to 1 if you have the `initgroups` function. */ + #cmakedefine01 HAVE_DECL_INITGROUPS + +@@ -73,6 +79,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_SYS_TIME_H 1 + ++/* Define to 1 if you have the header file. */ ++#cmakedefine HAVE_SYSINFOAPI_H 1 ++ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_SYSLOG_H 1 + +--- a/configure.ac ++++ b/configure.ac +@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \ + string.h \ + sys/socket.h \ + sys/time.h \ ++ sysinfoapi.h \ + syslog.h \ + time.h \ + unistd.h \ +@@ -681,6 +682,7 @@ AC_FUNC_STRNLEN + AC_CHECK_FUNCS([ \ + _Exit \ + accept4 \ ++ clock_gettime \ + dup2 \ + getcwd \ + getpwnam \ +@@ -706,6 +708,25 @@ AC_CHECK_FUNCS([ \ + AC_CHECK_FUNC([timerfd_create], + [have_timerfd_create=yes], [have_timerfd_create=no]) + ++AC_MSG_CHECKING([checking for GetTickCount64]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM( ++[[ ++#include ++]], ++[[ ++GetTickCount64(); ++]])], ++[have_gettickcount64=yes], ++[have_gettickcount64=no]) ++ ++if test "x${have_gettickcount64}" = "xyes"; then ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([HAVE_GETTICKCOUNT64], [1], ++ [Define to 1 if you have `GetTickCount64` function.]) ++else ++ AC_MSG_RESULT([no]) ++fi ++ + # For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but + # cygwin disables initgroups due to feature test macro magic with our + # configuration. FreeBSD declares initgroups() in unistd.h. +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -69,6 +69,7 @@ APIDOCS= \ + nghttp2_option_set_user_recv_extension_type.rst \ + nghttp2_option_set_max_outbound_ack.rst \ + nghttp2_option_set_max_settings.rst \ ++ nghttp2_option_set_stream_reset_rate_limit.rst \ + nghttp2_pack_settings_payload.rst \ + nghttp2_priority_spec_check_default.rst \ + nghttp2_priority_spec_default_init.rst \ +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES + nghttp2_mem.c + nghttp2_http.c + nghttp2_rcbuf.c ++ nghttp2_ratelim.c ++ nghttp2_time.c + nghttp2_debug.c + ) + +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c ngh + nghttp2_mem.c \ + nghttp2_http.c \ + nghttp2_rcbuf.c \ ++ nghttp2_ratelim.c \ ++ nghttp2_time.c \ + nghttp2_debug.c + + HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \ +@@ -65,6 +67,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nght + nghttp2_mem.h \ + nghttp2_http.h \ + nghttp2_rcbuf.h \ ++ nghttp2_ratelim.h \ ++ nghttp2_time.h \ + nghttp2_debug.h + + libnghttp2_la_SOURCES = $(HFILES) $(OBJECTS) +--- a/lib/includes/nghttp2/nghttp2.h ++++ b/lib/includes/nghttp2/nghttp2.h +@@ -2763,6 +2763,23 @@ nghttp2_session_client_new2(nghttp2_sess + /** + * @function + * ++ * This function sets the rate limit for the incoming stream reset ++ * (RST_STREAM frame). It is server use only. It is a token-bucket ++ * based rate limiter. |burst| specifies the number of tokens that is ++ * initially available. The maximum number of tokens is capped to ++ * this value. |rate| specifies the number of tokens that are ++ * regenerated per second. An incoming RST_STREAM consumes one token. ++ * If there is no token available, GOAWAY is sent to tear down the ++ * connection. |burst| and |rate| default to 1000 and 33 ++ * respectively. ++ */ ++NGHTTP2_EXTERN void ++nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, ++ uint64_t burst, uint64_t rate); ++ ++/** ++ * @function ++ * + * Like `nghttp2_session_server_new()`, but with additional options + * specified in the |option|. + * +--- a/lib/nghttp2_option.c ++++ b/lib/nghttp2_option.c +@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(ngh + option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS; + option->max_settings = val; + } ++ ++void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, ++ uint64_t burst, uint64_t rate) { ++ option->opt_set_mask |= NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT; ++ option->stream_reset_burst = burst; ++ option->stream_reset_rate = rate; ++} +--- /dev/null ++++ b/lib/nghttp2_ratelim.c +@@ -0,0 +1,75 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_ratelim.h" ++#include "nghttp2_helper.h" ++ ++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate) { ++ rl->val = rl->burst = burst; ++ rl->rate = rate; ++ rl->tstamp = 0; ++} ++ ++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp) { ++ uint64_t d, gain; ++ ++ if (tstamp == rl->tstamp) { ++ return; ++ } ++ ++ if (tstamp > rl->tstamp) { ++ d = tstamp - rl->tstamp; ++ } else { ++ d = 1; ++ } ++ ++ rl->tstamp = tstamp; ++ ++ if (UINT64_MAX / d < rl->rate) { ++ rl->val = rl->burst; ++ ++ return; ++ } ++ ++ gain = rl->rate * d; ++ ++ if (UINT64_MAX - gain < rl->val) { ++ rl->val = rl->burst; ++ ++ return; ++ } ++ ++ rl->val += gain; ++ rl->val = nghttp2_min(rl->val, rl->burst); ++} ++ ++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n) { ++ if (rl->val < n) { ++ return -1; ++ } ++ ++ rl->val -= n; ++ ++ return 0; ++} +--- /dev/null ++++ b/lib/nghttp2_ratelim.h +@@ -0,0 +1,57 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_RATELIM_H ++#define NGHTTP2_RATELIM_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++#include ++ ++typedef struct nghttp2_ratelim { ++ /* burst is the maximum value of val. */ ++ uint64_t burst; ++ /* rate is the amount of value that is regenerated per 1 tstamp. */ ++ uint64_t rate; ++ /* val is the amount of value available to drain. */ ++ uint64_t val; ++ /* tstamp is the last timestamp in second resolution that is known ++ to this object. */ ++ uint64_t tstamp; ++} nghttp2_ratelim; ++ ++/* nghttp2_ratelim_init initializes |rl| with the given parameters. */ ++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate); ++ ++/* nghttp2_ratelim_update updates rl->val with the current |tstamp| ++ given in second resolution. */ ++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp); ++ ++/* nghttp2_ratelim_drain drains |n| from rl->val. It returns 0 if it ++ succeeds, or -1. */ ++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n); ++ ++#endif /* NGHTTP2_RATELIM_H */ +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -36,6 +36,7 @@ + #include "nghttp2_option.h" + #include "nghttp2_http.h" + #include "nghttp2_pq.h" ++#include "nghttp2_time.h" + #include "nghttp2_debug.h" + + /* +@@ -443,6 +444,10 @@ static int session_new(nghttp2_session * + NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS; + (*session_ptr)->pending_enable_push = 1; + ++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim, ++ NGHTTP2_DEFAULT_STREAM_RESET_BURST, ++ NGHTTP2_DEFAULT_STREAM_RESET_RATE); ++ + if (server) { + (*session_ptr)->server = 1; + } +@@ -527,6 +532,12 @@ static int session_new(nghttp2_session * + option->max_settings) { + (*session_ptr)->max_settings = option->max_settings; + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT) { ++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim, ++ option->stream_reset_burst, ++ option->stream_reset_rate); ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -4144,6 +4155,23 @@ static int session_process_priority_fram + return nghttp2_session_on_priority_received(session, frame); + } + ++static int session_update_stream_reset_ratelim(nghttp2_session *session) { ++ if (!session->server || (session->goaway_flags & NGHTTP2_GOAWAY_SUBMITTED)) { ++ return 0; ++ } ++ ++ nghttp2_ratelim_update(&session->stream_reset_ratelim, ++ nghttp2_time_now_sec()); ++ ++ if (nghttp2_ratelim_drain(&session->stream_reset_ratelim, 1) == 0) { ++ return 0; ++ } ++ ++ return nghttp2_session_add_goaway(session, session->last_recv_stream_id, ++ NGHTTP2_INTERNAL_ERROR, NULL, 0, ++ NGHTTP2_GOAWAY_AUX_NONE); ++} ++ + int nghttp2_session_on_rst_stream_received(nghttp2_session *session, + nghttp2_frame *frame) { + int rv; +@@ -4173,7 +4201,8 @@ int nghttp2_session_on_rst_stream_receiv + if (nghttp2_is_fatal(rv)) { + return rv; + } +- return 0; ++ ++ return session_update_stream_reset_ratelim(session); + } + + static int session_process_rst_stream_frame(nghttp2_session *session) { +@@ -6965,6 +6994,9 @@ int nghttp2_session_add_goaway(nghttp2_s + nghttp2_mem_free(mem, item); + return rv; + } ++ ++ session->goaway_flags |= NGHTTP2_GOAWAY_SUBMITTED; ++ + return 0; + } + +--- a/lib/nghttp2_session.h ++++ b/lib/nghttp2_session.h +@@ -39,6 +39,7 @@ + #include "nghttp2_buf.h" + #include "nghttp2_callbacks.h" + #include "nghttp2_mem.h" ++#include "nghttp2_ratelim.h" + + /* The global variable for tests where we want to disable strict + preface handling. */ +@@ -102,6 +103,10 @@ typedef struct { + /* The default value of maximum number of concurrent streams. */ + #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu + ++/* The default values for stream reset rate limiter. */ ++#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 ++#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -176,7 +181,9 @@ typedef enum { + /* Flag means GOAWAY was sent */ + NGHTTP2_GOAWAY_SENT = 0x4, + /* Flag means GOAWAY was received */ +- NGHTTP2_GOAWAY_RECV = 0x8 ++ NGHTTP2_GOAWAY_RECV = 0x8, ++ /* Flag means GOAWAY has been submitted at least once */ ++ NGHTTP2_GOAWAY_SUBMITTED = 0x10 + } nghttp2_goaway_flag; + + /* nghttp2_inflight_settings stores the SETTINGS entries which local +@@ -230,6 +237,9 @@ struct nghttp2_session { + /* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not + considered as in-flight. */ + nghttp2_inflight_settings *inflight_settings_head; ++ /* Stream reset rate limiter. If receiving excessive amount of ++ stream resets, GOAWAY will be sent. */ ++ nghttp2_ratelim stream_reset_ratelim; + /* The number of outgoing streams. This will be capped by + remote_settings.max_concurrent_streams. */ + size_t num_outgoing_streams; +--- /dev/null ++++ b/lib/nghttp2_time.c +@@ -0,0 +1,62 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_time.h" ++ ++#ifdef HAVE_TIME_H ++# include ++#endif /* HAVE_TIME_H */ ++ ++#ifdef HAVE_SYSINFOAPI_H ++# include ++#endif /* HAVE_SYSINFOAPI_H */ ++ ++#ifndef HAVE_GETTICKCOUNT64 ++static uint64_t time_now_sec(void) { ++ time_t t = time(NULL); ++ ++ if (t == -1) { ++ return 0; ++ } ++ ++ return (uint64_t)t; ++} ++#endif /* HAVE_GETTICKCOUNT64 */ ++ ++#ifdef HAVE_CLOCK_GETTIME ++uint64_t nghttp2_time_now_sec(void) { ++ struct timespec tp; ++ int rv = clock_gettime(CLOCK_MONOTONIC, &tp); ++ ++ if (rv == -1) { ++ return time_now_sec(); ++ } ++ ++ return (uint64_t)tp.tv_sec; ++} ++#elif defined(HAVE_GETTICKCOUNT64) ++uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; } ++#else /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */ ++uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); } ++#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */ +--- /dev/null ++++ b/lib/nghttp2_time.h +@@ -0,0 +1,38 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_TIME_H ++#define NGHTTP2_TIME_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++#include ++ ++/* nghttp2_time_now_sec returns seconds from implementation-specific ++ timepoint. If it is unable to get seconds, it returns 0. */ ++uint64_t nghttp2_time_now_sec(void); ++ ++#endif /* NGHTTP2_TIME_H */ +--- /dev/null ++++ b/tests/nghttp2_ratelim_test.c +@@ -0,0 +1,101 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#include "nghttp2_ratelim_test.h" ++ ++#include ++ ++#include ++ ++#include "nghttp2_ratelim.h" ++ ++void test_nghttp2_ratelim_update(void) { ++ nghttp2_ratelim rl; ++ ++ nghttp2_ratelim_init(&rl, 1000, 21); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(1000 == rl.burst); ++ CU_ASSERT(21 == rl.rate); ++ CU_ASSERT(0 == rl.tstamp); ++ ++ nghttp2_ratelim_update(&rl, 999); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(999 == rl.tstamp); ++ ++ nghttp2_ratelim_drain(&rl, 100); ++ ++ CU_ASSERT(900 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1000); ++ ++ CU_ASSERT(921 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1002); ++ ++ CU_ASSERT(963 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 1004); ++ ++ CU_ASSERT(1000 == rl.val); ++ CU_ASSERT(1004 == rl.tstamp); ++ ++ /* timer skew */ ++ nghttp2_ratelim_init(&rl, 1000, 21); ++ nghttp2_ratelim_update(&rl, 1); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, 0); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ /* rate * duration overflow */ ++ nghttp2_ratelim_init(&rl, 1000, 100); ++ nghttp2_ratelim_drain(&rl, 999); ++ ++ CU_ASSERT(1 == rl.val); ++ ++ nghttp2_ratelim_update(&rl, UINT64_MAX); ++ ++ CU_ASSERT(1000 == rl.val); ++ ++ /* val + rate * duration overflow */ ++ nghttp2_ratelim_init(&rl, UINT64_MAX - 1, 2); ++ nghttp2_ratelim_update(&rl, 1); ++ ++ CU_ASSERT(UINT64_MAX - 1 == rl.val); ++} ++ ++void test_nghttp2_ratelim_drain(void) { ++ nghttp2_ratelim rl; ++ ++ nghttp2_ratelim_init(&rl, 100, 7); ++ ++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 101)); ++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 51)); ++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 49)); ++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 1)); ++} +--- /dev/null ++++ b/tests/nghttp2_ratelim_test.h +@@ -0,0 +1,35 @@ ++/* ++ * nghttp2 - HTTP/2 C Library ++ * ++ * Copyright (c) 2023 nghttp2 contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining ++ * a copy of this software and associated documentation files (the ++ * "Software"), to deal in the Software without restriction, including ++ * without limitation the rights to use, copy, modify, merge, publish, ++ * distribute, sublicense, and/or sell copies of the Software, and to ++ * permit persons to whom the Software is furnished to do so, subject to ++ * the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be ++ * included in all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, ++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF ++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE ++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION ++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION ++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ++ */ ++#ifndef NGHTTP2_RATELIM_TEST_H ++#define NGHTTP2_RATELIM_TEST_H ++ ++#ifdef HAVE_CONFIG_H ++# include ++#endif /* HAVE_CONFIG_H */ ++ ++void test_nghttp2_ratelim_update(void); ++void test_nghttp2_ratelim_drain(void); ++ ++#endif /* NGHTTP2_RATELIM_TEST_H */ +--- a/tests/nghttp2_session_test.c ++++ b/tests/nghttp2_session_test.c +@@ -10813,6 +10813,109 @@ void test_nghttp2_session_set_stream_use + nghttp2_session_del(session); + } + ++void test_nghttp2_session_stream_reset_ratelim(void) { ++ nghttp2_session *session; ++ nghttp2_session_callbacks callbacks; ++ nghttp2_frame frame; ++ ssize_t rv; ++ nghttp2_bufs bufs; ++ nghttp2_buf *buf; ++ nghttp2_mem *mem; ++ size_t i; ++ nghttp2_hd_deflater deflater; ++ size_t nvlen; ++ nghttp2_nv *nva; ++ int32_t stream_id; ++ nghttp2_outbound_item *item; ++ nghttp2_option *option; ++ ++ mem = nghttp2_mem_default(); ++ frame_pack_bufs_init(&bufs); ++ ++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks)); ++ callbacks.send_callback = null_send_callback; ++ ++ nghttp2_option_new(&option); ++ nghttp2_option_set_stream_reset_rate_limit( ++ option, NGHTTP2_DEFAULT_STREAM_RESET_BURST, 0); ++ ++ nghttp2_session_server_new2(&session, &callbacks, NULL, option); ++ ++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, NULL, 0); ++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_frame_settings_free(&frame.settings, mem); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ /* Send SETTINGS ACK */ ++ rv = nghttp2_session_send(session); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_hd_deflate_init(&deflater, mem); ++ ++ for (i = 0; i < NGHTTP2_DEFAULT_STREAM_RESET_BURST + 2; ++i) { ++ stream_id = (int32_t)(i * 2 + 1); ++ ++ nghttp2_bufs_reset(&bufs); ++ ++ /* HEADERS */ ++ nvlen = ARRLEN(reqnv); ++ nghttp2_nv_array_copy(&nva, reqnv, nvlen, mem); ++ nghttp2_frame_headers_init(&frame.headers, NGHTTP2_FLAG_END_HEADERS, ++ stream_id, NGHTTP2_HCAT_HEADERS, NULL, nva, ++ nvlen); ++ rv = nghttp2_frame_pack_headers(&bufs, &frame.headers, &deflater); ++ ++ CU_ASSERT(0 == rv); ++ ++ nghttp2_frame_headers_free(&frame.headers, mem); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ nghttp2_bufs_reset(&bufs); ++ ++ /* RST_STREAM */ ++ nghttp2_frame_rst_stream_init(&frame.rst_stream, stream_id, ++ NGHTTP2_NO_ERROR); ++ nghttp2_frame_pack_rst_stream(&bufs, &frame.rst_stream); ++ nghttp2_frame_rst_stream_free(&frame.rst_stream); ++ ++ buf = &bufs.head->buf; ++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf)); ++ ++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv); ++ ++ if (i < NGHTTP2_DEFAULT_STREAM_RESET_BURST) { ++ CU_ASSERT(0 == nghttp2_outbound_queue_size(&session->ob_reg)); ++ ++ continue; ++ } ++ ++ CU_ASSERT(1 == nghttp2_outbound_queue_size(&session->ob_reg)); ++ ++ item = nghttp2_session_get_next_ob_item(session); ++ ++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type); ++ CU_ASSERT(NGHTTP2_DEFAULT_STREAM_RESET_BURST * 2 + 1 == ++ item->frame.goaway.last_stream_id); ++ } ++ ++ nghttp2_hd_deflate_free(&deflater); ++ nghttp2_session_del(session); ++ nghttp2_bufs_free(&bufs); ++ nghttp2_option_del(option); ++} ++ + static void check_nghttp2_http_recv_headers_fail( + nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id, + int stream_state, const nghttp2_nv *nva, size_t nvlen) { +--- a/tests/nghttp2_session_test.h ++++ b/tests/nghttp2_session_test.h +@@ -160,6 +160,7 @@ void test_nghttp2_session_removed_closed + void test_nghttp2_session_pause_data(void); + void test_nghttp2_session_no_closed_streams(void); + void test_nghttp2_session_set_stream_user_data(void); ++void test_nghttp2_session_stream_reset_ratelim(void); + void test_nghttp2_http_mandatory_headers(void); + void test_nghttp2_http_content_length(void); + void test_nghttp2_http_content_length_mismatch(void); +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -21,6 +21,7 @@ if(HAVE_CUNIT) + nghttp2_npn_test.c + nghttp2_helper_test.c + nghttp2_buf_test.c ++ nghttp2_ratelim_test.c + ) + + add_executable(main EXCLUDE_FROM_ALL +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghtt + nghttp2_hd_test.c \ + nghttp2_npn_test.c \ + nghttp2_helper_test.c \ +- nghttp2_buf_test.c ++ nghttp2_buf_test.c \ ++ nghttp2_ratelim_test.c + + HFILES = nghttp2_pq_test.h nghttp2_map_test.h nghttp2_queue_test.h \ + nghttp2_session_test.h \ + nghttp2_frame_test.h nghttp2_stream_test.h nghttp2_hd_test.h \ + nghttp2_npn_test.h nghttp2_helper_test.h \ + nghttp2_test_helper.h \ +- nghttp2_buf_test.h ++ nghttp2_buf_test.h \ ++ nghttp2_ratelim_test.h + + main_SOURCES = $(HFILES) $(OBJECTS) + +--- a/lib/nghttp2_option.h ++++ b/lib/nghttp2_option.h +@@ -68,6 +68,7 @@ typedef enum { + NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10, + NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11, + NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, ++ NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, + } nghttp2_option_flag; + + /** +@@ -75,6 +76,11 @@ typedef enum { + */ + struct nghttp2_option { + /** ++ * NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT ++ */ ++ uint64_t stream_reset_burst; ++ uint64_t stream_reset_rate; ++ /** + * NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH + */ + size_t max_send_header_block_length; +--- a/tests/main.c ++++ b/tests/main.c +@@ -40,6 +40,7 @@ + #include "nghttp2_npn_test.h" + #include "nghttp2_helper_test.h" + #include "nghttp2_buf_test.h" ++#include "nghttp2_ratelim_test.h" + + extern int nghttp2_enable_strict_preface; + +@@ -323,6 +324,8 @@ int main() { + test_nghttp2_session_no_closed_streams) || + !CU_add_test(pSuite, "session_set_stream_user_data", + test_nghttp2_session_set_stream_user_data) || ++ !CU_add_test(pSuite, "session_stream_reset_ratelim", ++ test_nghttp2_session_stream_reset_ratelim) || + !CU_add_test(pSuite, "http_mandatory_headers", + test_nghttp2_http_mandatory_headers) || + !CU_add_test(pSuite, "http_content_length", +@@ -418,7 +421,9 @@ int main() { + !CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) || + !CU_add_test(pSuite, "bufs_next_present", + test_nghttp2_bufs_next_present) || +- !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc)) { ++ !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc) || ++ !CU_add_test(pSuite, "ratelim_update", test_nghttp2_ratelim_update) || ++ !CU_add_test(pSuite, "ratelim_drain", test_nghttp2_ratelim_drain)) { + CU_cleanup_registry(); + return (int)CU_get_error(); + } diff --git a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb index 0b9091f7e8..b67313b5c2 100644 --- a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb +++ b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb @@ -10,6 +10,7 @@ SRC_URI = "\ https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \ file://0001-fetch-ocsp-response-use-python3.patch \ file://CVE-2023-35945.patch \ + file://CVE-2023-44487.patch \ " SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc" From patchwork Wed Apr 3 03:46:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41944 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10F62CD128A for ; Wed, 3 Apr 2024 03:47:24 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.3145.1712116032968878312 for ; Tue, 02 Apr 2024 20:47:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3bi5AHa2; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1e0f0398553so52720045ad.3 for ; Tue, 02 Apr 2024 20:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116032; x=1712720832; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CGbu2/hvwphREVdXl0aM6qMoqlBkDv5Uq24S+iwmz6w=; b=3bi5AHa29OvNjywLUTxu7m92jl2IZEVH2u+1Rtzq5SNeQu00DdsLKSh0QNWQft+Ee4 +oGwa3gBvYJ1Y1etuiTP5ThNauWOJaeM4PXsMBdUNgh5hR88E+I7D/r1CQIXuSz8B2Yr 8Vjn1pCc6ae+IDAhe/5ucH7oq9oUz/rO3BJxBI4YXcj/5K0WftVrat/BXkXP65NWZTcI zgbjk5XtmEN6Cc8C6dnuJ9Rd6gbG2W7tETPEtHB7tueZq46+P3dqZxNZv9BoTC/v33hN VBnesni+83Os3TP1Vgur5F7cYIjRBYBGsOqJtMl81m+tPYAVn/VrQl+Jh7VycriAXZHf 2BcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712116032; x=1712720832; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CGbu2/hvwphREVdXl0aM6qMoqlBkDv5Uq24S+iwmz6w=; b=P37uUO2873pdMEj8WlZd6Rit7TuJqNAxdnMcXWHSQyOKUTox39neVCg3W4VIYi8CAL m08ZrihbwFC5AQ3Q3K+draWM1MGM1gLeMneQkJAcUVXZV8G9qiQNmzyJPuw7AhbtJ41S mAa0JOpWiOVQ9x09cHDABLL1DA6TpKZvNzM5msqDih36GKsO6dFJWoviAfdalXpcDLK/ Nom33KPuhJ2pEoXYwb/u4LQnsO6vzZl+I/GJ4o5NU+uczbUlmvO3zTbbviYPswH0zZjn 2Tczzm/y4g/n0x68NWz5igjfh2Ry/GYzsTLV1C5/EgAj7iKiSv3V06meMOXKztYX9i4C wYqg== X-Gm-Message-State: AOJu0YzDqPx5eNrhUSYcgjCsuF4PxeGZtm4OTAKfNkR7CHQoI3q8zYY6 SYvD8Je8X9ckZoOwD7oCjYmW+6/8TegA/WNODV1SaCbQ7Y8VmWG1Jj6QZ4B1+ns8LZn8DoBktit mjUE= X-Google-Smtp-Source: AGHT+IE8Q37LhYdggM86xIdyi2YhEw/9IZCIeST8ejmEObZ3XUzALloEBN6E3gJ23BXy+1A6ZXccuw== X-Received: by 2002:a17:903:543:b0:1dd:e114:121c with SMTP id jo3-20020a170903054300b001dde114121cmr14260517plb.56.1712116032197; Tue, 02 Apr 2024 20:47:12 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:47:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409 Date: Tue, 2 Apr 2024 17:46:55 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:47:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197895 From: Lee Chee Yang fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409 Signed-off-by: Lee Chee Yang Signed-off-by: Steve Sakoman --- .../xwayland/xwayland/CVE-2023-6816.patch | 57 ++++++++++++++++ .../xwayland/xwayland/CVE-2024-0408.patch | 65 +++++++++++++++++++ .../xwayland/xwayland/CVE-2024-0409.patch | 47 ++++++++++++++ .../xwayland/xwayland_22.1.8.bb | 3 + 4 files changed, 172 insertions(+) create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch new file mode 100644 index 0000000000..5c68bfb3c1 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch @@ -0,0 +1,57 @@ +CVE: CVE-2023-6816 +Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5cb27032d3e486ba84a491e1420e85171c4c0a3 ] +Signed-off-by: Lee Chee Yang + +From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Thu, 14 Dec 2023 11:29:49 +1000 +Subject: [PATCH] dix: allocate enough space for logical button maps + +Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for +each logical button currently down. Since buttons can be arbitrarily mapped +to anything up to 255 make sure we have enough bits for the maximum mapping. + +CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3) +--- + Xi/xiquerypointer.c | 3 +-- + dix/enterleave.c | 5 +++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c +index 5b77b1a444..2b05ac5f39 100644 +--- a/Xi/xiquerypointer.c ++++ b/Xi/xiquerypointer.c +@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client) + if (pDev->button) { + int i; + +- rep.buttons_len = +- bytes_to_int32(bits_to_bytes(pDev->button->numButtons)); ++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */ + rep.length += rep.buttons_len; + buttons = calloc(rep.buttons_len, 4); + if (!buttons) +diff --git a/dix/enterleave.c b/dix/enterleave.c +index 867ec74363..ded8679d76 100644 +--- a/dix/enterleave.c ++++ b/dix/enterleave.c +@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, + + mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER); + +- /* XI 2 event */ +- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0; ++ /* XI 2 event contains the logical button map - maps are CARD8 ++ * so we need 256 bits for the possibly maximum mapping */ ++ btlen = (mouse->button) ? bits_to_bytes(256) : 0; + btlen = bytes_to_int32(btlen); + len = sizeof(xXIFocusInEvent) + btlen * 4; + +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch new file mode 100644 index 0000000000..9063cd00b2 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch @@ -0,0 +1,65 @@ +CVE: CVE-2024-0408 +Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/4093057b98bc5a178f130c9ba6b0b28385e24ae5 ] +Signed-off-by: Lee Chee Yang + +From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 12:09:41 +0100 +Subject: [PATCH] glx: Call XACE hooks on the GLX buffer + +The XSELINUX code will label resources at creation by checking the +access mode. When the access mode is DixCreateAccess, it will call the +function to label the new resource SELinuxLabelResource(). + +However, GLX buffers do not go through the XACE hooks when created, +hence leaving the resource actually unlabeled. + +When, later, the client tries to create another resource using that +drawable (like a GC for example), the XSELINUX code would try to use +the security ID of that object which has never been labeled, get a NULL +pointer and crash when checking whether the requested permissions are +granted for subject security ID. + +To avoid the issue, make sure to call the XACE hooks when creating the +GLX buffers. + +Credit goes to Donn Seeley for providing the patch. + +CVE-2024-0408 + +Signed-off-by: Olivier Fourdan +Acked-by: Peter Hutterer +(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3) +--- + glx/glxcmds.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/glx/glxcmds.c b/glx/glxcmds.c +index fc26a2e345..1e46d0c723 100644 +--- a/glx/glxcmds.c ++++ b/glx/glxcmds.c +@@ -48,6 +48,7 @@ + #include "indirect_util.h" + #include "protocol-versions.h" + #include "glxvndabi.h" ++#include "xace.h" + + static char GLXServerVendorName[] = "SGI"; + +@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId, + if (!pPixmap) + return BadAlloc; + ++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP, ++ pPixmap, RT_NONE, NULL, DixCreateAccess); ++ if (err != Success) { ++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap); ++ return err; ++ } ++ + /* Assign the pixmap the same id as the pbuffer and add it as a + * resource so it and the DRI2 drawable will be reclaimed when the + * pbuffer is destroyed. */ +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch new file mode 100644 index 0000000000..de3396a410 --- /dev/null +++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch @@ -0,0 +1,47 @@ +CVE: CVE-2024-0409 +Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/51be9e767a02cdc6a524dc895dcc81abb689d50b ] +Signed-off-by: Lee Chee Yang + +From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan +Date: Wed, 6 Dec 2023 11:51:56 +0100 +Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor + +The cursor in DIX is actually split in two parts, the cursor itself and +the cursor bits, each with their own devPrivates. + +The cursor itself includes the cursor bits, meaning that the cursor bits +devPrivates in within structure of the cursor. + +Both Xephyr and Xwayland were using the private key for the cursor bits +to store the data for the cursor, and when using XSELINUX which comes +with its own special devPrivates, the data stored in that cursor bits' +devPrivates would interfere with the XSELINUX devPrivates data and the +SELINUX security ID would point to some other unrelated data, causing a +crash in the XSELINUX code when trying to (re)use the security ID. + +CVE-2024-0409 + +Signed-off-by: Olivier Fourdan +Reviewed-by: Peter Hutterer +(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7) +--- + hw/xwayland/xwayland-cursor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c +index e3c1aaa50c..bd94b0cfbb 100644 +--- a/hw/xwayland/xwayland-cursor.c ++++ b/hw/xwayland/xwayland-cursor.c +@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = { + Bool + xwl_screen_init_cursor(struct xwl_screen *xwl_screen) + { +- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0)) ++ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0)) + return FALSE; + + return miPointerInitialize(xwl_screen->screen, +-- +GitLab + diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index e6e17d7da5..133c65fbc3 100644 --- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb +++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -13,6 +13,9 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \ file://CVE-2023-5367.patch \ file://CVE-2023-6377.patch \ file://CVE-2023-6478.patch \ + file://CVE-2023-6816.patch \ + file://CVE-2024-0408.patch \ + file://CVE-2024-0409.patch \ " SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" From patchwork Wed Apr 3 03:46:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41947 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23A18CD1294 for ; Wed, 3 Apr 2024 03:47:24 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web10.3146.1712116035513071027 for ; Tue, 02 Apr 2024 20:47:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CE6q7bZE; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-1e27fadbbe1so9480525ad.1 for ; Tue, 02 Apr 2024 20:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116035; x=1712720835; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=DhrNKhuvBUiuAis9L1DMcdfT1va9q8GMgu7hDU5Z8ns=; b=CE6q7bZECth5lvjTqOH5h3/B8U7NQSUhaFrPdMoggutVRevEkdxd03MdJQ0wzV/w58 H8v7dw1wnnuNIAaXpascrBDv1VWudFvmBpJl/xJuWJuTIpHkA7g6p3e8abJhNo537+c1 W78uibhq8PKhUF6ebRu4t1pPxGHqYKuI2kC/f08sk+ahUi7aby6XPHulTt4Zf6nIEB4s H0rFuXP0mRojFrC5ytbv/9916SouQ9z3sjqOHVTmO5i0y/2I/6HRHj7n319xjhVdjyQc WG2p0e+XYZRzWXl5ulzt+VZbYR7S6j2vX8jGepmeFGivxvyFZlDB5REYYsbpJqqlltio /p+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712116035; x=1712720835; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DhrNKhuvBUiuAis9L1DMcdfT1va9q8GMgu7hDU5Z8ns=; b=MgKzdyCrrpSV+r7qPNj0Fp3dMuQQb1KGm0aTYrtkSbJgEddq57jlm3mU0s3nmt5ygb OZ7VcYlBsr71cEYh7Y7LcE232dhKsrQGKPYD+zmoK/qLNfG3FAU3asLe4jL1YxdzCqpZ xXOgT3A8rILlA83j81Zt09gRd6sQJqUGCGHcxPo/qL+cYDchZ3gZW3XJ2cymwaAhzneB EpgmyPRN40thRuDB15qoBilXvKOeaGqrJi/27q88ykTnrrFYptWLuPTkDDJrdeIXCcAF 4cRhrf9tFKlxgMiCcMuhc6jAPLEaslPvMVn2UGJVNjFjLw/btb60tJWUb124WKCZnS8W QnSg== X-Gm-Message-State: AOJu0Yxn4OE2JOWrq8m4ka7qlYPxGUP5ZObqARGdlntKUi7BSICwqU/R j3vkGJgVdxkzRmy/fjGRLLjSHxBGbEDw99E8gl/UN33QjKjGHaqMK3X34w9wjitPWNRB8gGPkP1 5Sn0= X-Google-Smtp-Source: AGHT+IF6SZP8JQ59dkwuJhn/twpcZF9BydtjH/mTiKhARB/fwORtppyhMNsuElFWzdg2Bmcbxhz8KQ== X-Received: by 2002:a17:902:8549:b0:1dd:7da:e0a9 with SMTP id d9-20020a170902854900b001dd07dae0a9mr13266082plo.69.1712116033821; Tue, 02 Apr 2024 20:47:13 -0700 (PDT) Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136]) by smtp.gmail.com with ESMTPSA id m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 20:47:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/9] expat: fix CVE-2023-52425 Date: Tue, 2 Apr 2024 17:46:56 -1000 Message-Id: <1bdcd10930a2998f6bbe56b3ba4c9b6c91203b39.1712115855.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 03 Apr 2024 03:47:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197896 From: Meenali Gupta libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52425 Changes related to test directory are not included as most of the files are not present and are introduced in the later version. Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- .../expat/expat/CVE-2023-52425-0001.patch | 40 ++++ .../expat/expat/CVE-2023-52425-0002.patch | 87 +++++++ .../expat/expat/CVE-2023-52425-0003.patch | 222 ++++++++++++++++++ .../expat/expat/CVE-2023-52425-0004.patch | 42 ++++ .../expat/expat/CVE-2023-52425-0005.patch | 69 ++++++ .../expat/expat/CVE-2023-52425-0006.patch | 67 ++++++ .../expat/expat/CVE-2023-52425-0007.patch | 159 +++++++++++++ .../expat/expat/CVE-2023-52425-0008.patch | 95 ++++++++ .../expat/expat/CVE-2023-52425-0009.patch | 52 ++++ .../expat/expat/CVE-2023-52425-0010.patch | 111 +++++++++ .../expat/expat/CVE-2023-52425-0011.patch | 89 +++++++ .../expat/expat/CVE-2023-52425-0012.patch | 87 +++++++ meta/recipes-core/expat/expat_2.5.0.bb | 12 + 13 files changed, 1132 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch new file mode 100644 index 0000000000..4e21ade018 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch @@ -0,0 +1,40 @@ +From d5b02e96ab95d2a7ae0aea72d00054b9d036d76d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 9 Nov 2023 19:28:05 +0100 +Subject: [PATCH] xmlwf: Document argument "-q" + +Rebased-and-adapted-by: Snild Dolkow + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5b02e96ab95d2a7ae0aea72d00054b9d036d76d] + +Signed-off-by: Meenali Gupta +--- + doc/xmlwf.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/doc/xmlwf.xml b/doc/xmlwf.xml +index 9603abf..3d35393 100644 +--- a/doc/xmlwf.xml ++++ b/doc/xmlwf.xml +@@ -313,6 +313,16 @@ supports both. + + + ++ ++ ++ ++ ++ Disable reparse deferral, and allow quadratic parse runtime ++ on large tokens (default: reparse deferral enabled). ++ ++ ++ ++ + + + +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch new file mode 100644 index 0000000000..8376727778 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch @@ -0,0 +1,87 @@ +From 09fdf998e7cf3f8f9327e6602077791095aedd4d Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 9 Nov 2023 19:14:14 +0100 +Subject: [PATCH] xmlwf: Support disabling reparse deferral + +Rebased-and-adapted-by: Snild Dolkow + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/09fdf998e7cf3f8f9327e6602077791095aedd4d] + +Signed-off-by: Meenali Gupta +--- + xmlwf/xmlwf.c | 20 ++++++++++++++++++++ + xmlwf/xmlwf_helpgen.py | 4 ++++ + 2 files changed, 24 insertions(+) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index dd023a9..9a5441c 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -911,6 +911,9 @@ usage(const XML_Char *prog, int rc) { + T("billion laughs attack protection:\n") + T(" NOTE: If you ever need to increase these values for non-attack payload, please file a bug report.\n") + T("\n") ++ T("reparse deferral:\n") ++ T(" -q disable reparse deferral, and allow [q]uadratic parse runtime with large tokens\n") ++ T("\n") + T(" -a FACTOR set maximum tolerated [a]mplification factor (default: 100.0)\n") + T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB)\n") + T("\n") +@@ -967,6 +970,8 @@ tmain(int argc, XML_Char **argv) { + unsigned long long attackThresholdBytes; + XML_Bool attackThresholdGiven = XML_FALSE; + ++ XML_Bool disableDeferral = XML_FALSE; ++ + int exitCode = XMLWF_EXIT_SUCCESS; + enum XML_ParamEntityParsing paramEntityParsing + = XML_PARAM_ENTITY_PARSING_NEVER; +@@ -1091,6 +1096,11 @@ tmain(int argc, XML_Char **argv) { + #endif + break; + } ++ case T('q'): { ++ disableDeferral = XML_TRUE; ++ j++; ++ break; ++ } + case T('\0'): + if (j > 1) { + i++; +@@ -1136,6 +1146,16 @@ tmain(int argc, XML_Char **argv) { + #endif + } + ++ if (disableDeferral) { ++ const XML_Bool success = XML_SetReparseDeferralEnabled(parser, XML_FALSE); ++ if (! success) { ++ // This prevents tperror(..) from reporting misleading "[..]: Success" ++ errno = EINVAL; ++ tperror(T("Failed to disable reparse deferral")); ++ exit(XMLWF_EXIT_INTERNAL_ERROR); ++ } ++ } ++ + if (requireStandalone) + XML_SetNotStandaloneHandler(parser, notStandalone); + XML_SetParamEntityParsing(parser, paramEntityParsing); +diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py +index c2a527f..1bd0a0a 100755 +--- a/xmlwf/xmlwf_helpgen.py ++++ b/xmlwf/xmlwf_helpgen.py +@@ -81,6 +81,10 @@ billion_laughs.add_argument('-a', metavar='FACTOR', + help='set maximum tolerated [a]mplification factor (default: 100.0)') + billion_laughs.add_argument('-b', metavar='BYTES', help='set number of output [b]ytes needed to activate (default: 8 MiB)') + ++reparse_deferral = parser.add_argument_group('reparse deferral') ++reparse_deferral.add_argument('-q', metavar='FACTOR', ++ help='disable reparse deferral, and allow [q]uadratic parse runtime with large tokens') ++ + parser.add_argument('files', metavar='FILE', nargs='*', help='file to process (default: STDIN)') + + info = parser.add_argument_group('info arguments') +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch new file mode 100644 index 0000000000..e5c3606e19 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch @@ -0,0 +1,222 @@ +From 9cdf9b8d77d5c2c2a27d15fb68dd3f83cafb45a1 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Thu, 17 Aug 2023 16:25:26 +0200 +Subject: [PATCH] Skip parsing after repeated partials on the same token When + the parse buffer contains the starting bytes of a token but not all of them, + we cannot parse the token to completion. We call this a partial token. When + this happens, the parse position is reset to the start of the token, and the + parse() call returns. The client is then expected to provide more data and + call parse() again. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In extreme cases, this means that the bytes of a token may be parsed +many times: once for every buffer refill required before the full token +is present in the buffer. + +Math: + Assume there's a token of T bytes + Assume the client fills the buffer in chunks of X bytes + We'll try to parse X, 2X, 3X, 4X ... until mX == T (technically >=) + That's (m²+m)X/2 = (T²/X+T)/2 bytes parsed (arithmetic progression) + While it is alleviated by larger refills, this amounts to O(T²) + +Expat grows its internal buffer by doubling it when necessary, but has +no way to inform the client about how much space is available. Instead, +we add a heuristic that skips parsing when we've repeatedly stopped on +an incomplete token. Specifically: + + * Only try to parse if we have a certain amount of data buffered + * Every time we stop on an incomplete token, double the threshold + * As soon as any token completes, the threshold is reset + +This means that when we get stuck on an incomplete token, the threshold +grows exponentially, effectively making the client perform larger buffer +fills, limiting how many times we can end up re-parsing the same bytes. + +Math: + Assume there's a token of T bytes + Assume the client fills the buffer in chunks of X bytes + We'll try to parse X, 2X, 4X, 8X ... until (2^k)X == T (or larger) + That's (2^(k+1)-1)X bytes parsed -- e.g. 15X if T = 8X + This is equal to 2T-X, which amounts to O(T) + +We could've chosen a faster growth rate, e.g. 4 or 8. Those seem to +increase performance further, at the cost of further increasing the +risk of growing the buffer more than necessary. This can easily be +adjusted in the future, if desired. + +This is all completely transparent to the client, except for: +1. possible delay of some callbacks (when our heuristic overshoots) +2. apps that never do isFinal=XML_TRUE could miss data at the end + +For the affected testdata, this change shows a 100-400x speedup. +The recset.xml benchmark shows no clear change either way. + +Before: +benchmark -n ../testdata/largefiles/recset.xml 65535 3 + 3 loops, with buffer size 65535. Average time per loop: 0.270223 +benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 15.033048 +benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.018027 +benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 11.775362 +benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 11.711414 +benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.019362 + +After: +./run.sh benchmark -n ../testdata/largefiles/recset.xml 65535 3 + 3 loops, with buffer size 65535. Average time per loop: 0.269030 +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.044794 +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.016377 +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.027022 +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.099360 +./run.sh benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3 + 3 loops, with buffer size 4096. Average time per loop: 0.017956 + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9cdf9b8d77d5c2c2a27d15fb68dd3f83cafb45a1] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 58 +++++++++++++++++++++++++++++++++----------------- + 1 file changed, 39 insertions(+), 19 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index bbffcaa..5695417 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -81,6 +81,7 @@ + # endif + #endif + ++#include + #include + #include /* memset(), memcpy() */ + #include +@@ -629,6 +630,7 @@ struct XML_ParserStruct { + const char *m_bufferLim; + XML_Index m_parseEndByteIndex; + const char *m_parseEndPtr; ++ size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */ + XML_Char *m_dataBuf; + XML_Char *m_dataBufEnd; + XML_StartElementHandler m_startElementHandler; +@@ -960,6 +962,32 @@ get_hash_secret_salt(XML_Parser parser) { + return parser->m_hash_secret_salt; + } + ++static enum XML_Error ++callProcessor(XML_Parser parser, const char *start, const char *end, ++ const char **endPtr) { ++ const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start); ++ ++ if (! parser->m_parsingStatus.finalBuffer) { ++ // Heuristic: don't try to parse a partial token again until the amount of ++ // available data has increased significantly. ++ const size_t had_before = parser->m_partialTokenBytesBefore; ++ const bool enough = (have_now >= 2 * had_before); ++ ++ if (! enough) { ++ *endPtr = start; // callers may expect this to be set ++ return XML_ERROR_NONE; ++ } ++ } ++ const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr); ++ // if we consumed nothing, remember what we had on this parse attempt. ++ if (*endPtr == start) { ++ parser->m_partialTokenBytesBefore = have_now; ++ } else { ++ parser->m_partialTokenBytesBefore = 0; ++ } ++ return ret; ++} ++ + static XML_Bool /* only valid for root parser */ + startParsing(XML_Parser parser) { + /* hash functions must be initialized before setContext() is called */ +@@ -1141,6 +1169,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + parser->m_bufferEnd = parser->m_buffer; + parser->m_parseEndByteIndex = 0; + parser->m_parseEndPtr = NULL; ++ parser->m_partialTokenBytesBefore = 0; + parser->m_declElementType = NULL; + parser->m_declAttributeId = NULL; + parser->m_declEntity = NULL; +@@ -1872,29 +1901,20 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + to detect errors based on that fact. + */ + parser->m_errorCode +- = parser->m_processor(parser, parser->m_bufferPtr, +- parser->m_parseEndPtr, &parser->m_bufferPtr); ++ = callProcessor(parser, parser->m_bufferPtr, parser->m_parseEndPtr, ++ &parser->m_bufferPtr); + + if (parser->m_errorCode == XML_ERROR_NONE) { + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: +- /* It is hard to be certain, but it seems that this case +- * cannot occur. This code is cleaning up a previous parse +- * with no new data (since len == 0). Changing the parsing +- * state requires getting to execute a handler function, and +- * there doesn't seem to be an opportunity for that while in +- * this circumstance. +- * +- * Given the uncertainty, we retain the code but exclude it +- * from coverage tests. +- * +- * LCOV_EXCL_START +- */ ++ /* While we added no new data, the finalBuffer flag may have caused ++ * us to parse previously-unparsed data in the internal buffer. ++ * If that triggered a callback to the application, it would have ++ * had an opportunity to suspend parsing. */ + XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr, + parser->m_bufferPtr, &parser->m_position); + parser->m_positionPtr = parser->m_bufferPtr; + return XML_STATUS_SUSPENDED; +- /* LCOV_EXCL_STOP */ + case XML_INITIALIZED: + case XML_PARSING: + parser->m_parsingStatus.parsing = XML_FINISHED; +@@ -1924,7 +1944,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; + + parser->m_errorCode +- = parser->m_processor(parser, s, parser->m_parseEndPtr = s + len, &end); ++ = callProcessor(parser, s, parser->m_parseEndPtr = s + len, &end); + + if (parser->m_errorCode != XML_ERROR_NONE) { + parser->m_eventEndPtr = parser->m_eventPtr; +@@ -2027,8 +2047,8 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) { + parser->m_parseEndByteIndex += len; + parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; + +- parser->m_errorCode = parser->m_processor( +- parser, start, parser->m_parseEndPtr, &parser->m_bufferPtr); ++ parser->m_errorCode = callProcessor(parser, start, parser->m_parseEndPtr, ++ &parser->m_bufferPtr); + + if (parser->m_errorCode != XML_ERROR_NONE) { + parser->m_eventEndPtr = parser->m_eventPtr; +@@ -2220,7 +2240,7 @@ XML_ResumeParser(XML_Parser parser) { + } + parser->m_parsingStatus.parsing = XML_PARSING; + +- parser->m_errorCode = parser->m_processor( ++ parser->m_errorCode = callProcessor( + parser, parser->m_bufferPtr, parser->m_parseEndPtr, &parser->m_bufferPtr); + + if (parser->m_errorCode != XML_ERROR_NONE) { +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch new file mode 100644 index 0000000000..35e8e0b1e5 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch @@ -0,0 +1,42 @@ +From 1b9d398517befeb944cbbadadf10992b07e96fa2 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Mon, 4 Sep 2023 17:21:14 +0200 +Subject: [PATCH] [PATCH] Don't update partial token heuristic on error + +Suggested-by: Sebastian Pipping + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1b9d398517befeb944cbbadadf10992b07e96fa2] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 5695417..5c66f54 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -979,11 +979,13 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + } + } + const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr); +- // if we consumed nothing, remember what we had on this parse attempt. +- if (*endPtr == start) { +- parser->m_partialTokenBytesBefore = have_now; +- } else { +- parser->m_partialTokenBytesBefore = 0; ++ if (ret == XML_ERROR_NONE) { ++ // if we consumed nothing, remember what we had on this parse attempt. ++ if (*endPtr == start) { ++ parser->m_partialTokenBytesBefore = have_now; ++ } else { ++ parser->m_partialTokenBytesBefore = 0; ++ } + } + return ret; + } +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch new file mode 100644 index 0000000000..d4e112db58 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch @@ -0,0 +1,69 @@ +From 09957b8ced725b96a95acff150facda93f03afe1 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Thu, 26 Oct 2023 10:41:00 +0200 +Subject: [PATCH] Allow XML_GetBuffer() with len=0 on a fresh parser + +len=0 was previously OK if there had previously been a non-zero call. +It makes sense to allow an application to work the same way on a +newly-created parser, and not have to care if its incoming buffer +happens to be 0. + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/09957b8ced725b96a95acff150facda93f03afe1] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 5c66f54..5b112c6 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2095,7 +2095,8 @@ XML_GetBuffer(XML_Parser parser, int len) { + default:; + } + +- if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)) { ++ if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd) ++ || parser->m_buffer == NULL) { + #ifdef XML_CONTEXT_BYTES + int keep; + #endif /* defined XML_CONTEXT_BYTES */ +@@ -2118,8 +2119,9 @@ XML_GetBuffer(XML_Parser parser, int len) { + } + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ +- if (neededSize +- <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) { ++ if (parser->m_buffer && parser->m_bufferPtr ++ && neededSize ++ <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) { + #ifdef XML_CONTEXT_BYTES + if (keep < EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer)) { + int offset +@@ -2133,14 +2135,12 @@ XML_GetBuffer(XML_Parser parser, int len) { + parser->m_bufferPtr -= offset; + } + #else +- if (parser->m_buffer && parser->m_bufferPtr) { +- memmove(parser->m_buffer, parser->m_bufferPtr, +- EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr)); +- parser->m_bufferEnd +- = parser->m_buffer +- + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr); +- parser->m_bufferPtr = parser->m_buffer; +- } ++ memmove(parser->m_buffer, parser->m_bufferPtr, ++ EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr)); ++ parser->m_bufferEnd ++ = parser->m_buffer ++ + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr); ++ parser->m_bufferPtr = parser->m_buffer; + #endif /* not defined XML_CONTEXT_BYTES */ + } else { + char *newBuf; +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch new file mode 100644 index 0000000000..c1fb4893ed --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch @@ -0,0 +1,67 @@ +From 9fe3672459c1bf10926b85f013aa1b623d855545 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Mon, 18 Sep 2023 20:32:55 +0200 +Subject: [PATCH] tests: Run both with and without partial token heuristic + +If we always run with the heuristic enabled, it may hide some bugs by +grouping up input into bigger parse attempts. + +CI-fighting-assistance-by: Sebastian Pipping + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9fe3672459c1bf10926b85f013aa1b623d855545] + +Signed-off-by: Meenali Gupta +--- + lib/internal.h | 3 +++ + lib/xmlparse.c | 5 ++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/internal.h b/lib/internal.h +index 03c8fde..1df417f 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -31,6 +31,7 @@ + Copyright (c) 2016-2022 Sebastian Pipping + Copyright (c) 2018 Yury Gribov + Copyright (c) 2019 David Loffredo ++ Copyright (c) 2023 Sony Corporation / Snild Dolkow + Licensed under the MIT license: + + Permission is hereby granted, free of charge, to any person obtaining +@@ -160,6 +161,8 @@ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser); + const char *unsignedCharToPrintable(unsigned char c); + #endif + ++extern XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c ++ // + #ifdef __cplusplus + } + #endif +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 5b112c6..be6dd92 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -615,6 +615,8 @@ static unsigned long getDebugLevel(const char *variableName, + ? 0 \ + : ((*((pool)->ptr)++ = c), 1)) + ++XML_Bool g_reparseDeferralEnabledDefault = XML_TRUE; // write ONLY in runtests.c ++ // + struct XML_ParserStruct { + /* The first member must be m_userData so that the XML_GetUserData + macro works. */ +@@ -967,7 +969,8 @@ callProcessor(XML_Parser parser, const char *start, const char *end, + const char **endPtr) { + const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start); + +- if (! parser->m_parsingStatus.finalBuffer) { ++ if (g_reparseDeferralEnabledDefault ++ && ! parser->m_parsingStatus.finalBuffer) { + // Heuristic: don't try to parse a partial token again until the amount of + // available data has increased significantly. + const size_t had_before = parser->m_partialTokenBytesBefore; +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch new file mode 100644 index 0000000000..e2fb35eae6 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch @@ -0,0 +1,159 @@ +From 1d3162da8a85a398ab451aadd6c2ad19587e5a68 Mon Sep 17 00:00:00 2001 +From: Snild Dolkow +Date: Mon, 11 Sep 2023 15:31:24 +0200 +Subject: [PATCH] Add app setting for enabling/disabling reparse heuristic + +Suggested-by: Sebastian Pipping +CI-fighting-assistance-by: Sebastian Pipping + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1d3162da8a85a398ab451aadd6c2ad19587e5a68] + +Signed-off-by: Meenali Gupta +--- + doc/reference.html | 30 ++++++++++++++++++++++++------ + lib/expat.h | 5 +++++ + lib/libexpat.def.cmake | 2 ++ + lib/xmlparse.c | 13 ++++++++++++- + 4 files changed, 43 insertions(+), 7 deletions(-) + +diff --git a/doc/reference.html b/doc/reference.html +index 9953aa7..7dd9370 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -151,10 +151,11 @@ interface.

+ + +
  • +- Billion Laughs Attack Protection ++ Attack Protection + +
    • +
  • Miscellaneous Functions +@@ -2123,11 +2124,7 @@ parse position may be before the beginning of the buffer.

    + return NULL.

    + + +-

    Billion Laughs Attack Protection

    +- +-

    The functions in this section configure the built-in +- protection against various forms of +- billion laughs attacks.

    ++

    Attack Protection

    + +

    XML_SetBillionLaughsAttackProtectionMaximumAmplification

    + 
    +@@ -2215,6 +2212,27 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(XML_Parser p,
+   
    
+ 
+ 
++
    XML_SetReparseDeferralEnabled
    
++
    ++/* Added in Expat 2.6.0. */
++XML_Bool XMLCALL
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
++
    
++
    
++  
    
++    Large tokens may require many parse calls before enough data is available for Expat to parse it in full.
++    If Expat retried parsing the token on every parse call, parsing could take quadratic time.
++    To avoid this, Expat only retries once a significant amount of new data is available.
++    This function allows disabling this behavior.
++  
    
++  
    
++    The enabled argument should be XML_TRUE or XML_FALSE.
++  
    
++  
    
++    Returns XML_TRUE on success, and XML_FALSE on error.
++  
    
++
    
++
+ 
    Miscellaneous functions
    
+ 
+ 
    The functions in this section either obtain state information from
+diff --git a/lib/expat.h b/lib/expat.h
+index 9e64174..73dda6d 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -16,6 +16,7 @@
+    Copyright (c) 2016      Thomas Beutlich 
+    Copyright (c) 2017      Rhodri James 
+    Copyright (c) 2022      Thijs Schreijer 
++   Copyright (c) 2023      Sony Corporation / Snild Dolkow 
+    Licensed under the MIT license:
+ 
+    Permission is  hereby granted,  free of charge,  to any  person obtaining
+@@ -1054,6 +1055,10 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+     XML_Parser parser, unsigned long long activationThresholdBytes);
+ #endif
+ 
++/* Added in Expat 2.6.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
++
+ /* Expat follows the semantic versioning convention.
+    See http://semver.org.
+ */
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index 61a4f00..10ee9cd 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -77,3 +77,5 @@ EXPORTS
+ ; added with version 2.4.0
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
++; added with version 2.6.0
++  XML_SetReparseDeferralEnabled @71
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index be6dd92..8cf32e0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -633,6 +633,7 @@ struct XML_ParserStruct {
+   XML_Index m_parseEndByteIndex;
+   const char *m_parseEndPtr;
+   size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
++  XML_Bool m_reparseDeferralEnabled;
+   XML_Char *m_dataBuf;
+   XML_Char *m_dataBufEnd;
+   XML_StartElementHandler m_startElementHandler;
+@@ -969,7 +970,7 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+               const char **endPtr) {
+   const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
+ 
+-  if (g_reparseDeferralEnabledDefault
++  if (parser->m_reparseDeferralEnabled
+       && ! parser->m_parsingStatus.finalBuffer) {
+     // Heuristic: don't try to parse a partial token again until the amount of
+     // available data has increased significantly.
+@@ -1175,6 +1176,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+   parser->m_parseEndByteIndex = 0;
+   parser->m_parseEndPtr = NULL;
+   parser->m_partialTokenBytesBefore = 0;
++  parser->m_reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
+   parser->m_declElementType = NULL;
+   parser->m_declAttributeId = NULL;
+   parser->m_declEntity = NULL;
+@@ -2601,6 +2603,15 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ }
+ #endif /* XML_GE == 1 */
+ 
++XML_Bool XMLCALL
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled) {
++  if (parser != NULL && (enabled == XML_TRUE || enabled == XML_FALSE)) {
++    parser->m_reparseDeferralEnabled = enabled;
++    return XML_TRUE;
++  }
++  return XML_FALSE;
++}
++
+ /* Initially tag->rawName always points into the parse buffer;
+    for those TAG instances opened while the current parse buffer was
+    processed, and not yet closed, we need to store tag->rawName in a more
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
new file mode 100644
index 0000000000..fa25fcd2db
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
@@ -0,0 +1,95 @@
+From 8ddd8e86aa446d02eb8d398972d3b10d4cad908a Mon Sep 17 00:00:00 2001
+From: Snild Dolkow 
+Date: Fri, 29 Sep 2023 10:14:59 +0200
+Subject: [PATCH] Try to parse even when incoming len is zero
+
+If the reparse deferral setting has changed, it may be possible to
+finish a token.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8ddd8e86aa446d02eb8d398972d3b10d4cad908a]
+
+Signed-off-by: Meenali Gupta 
+---
+ lib/xmlparse.c | 55 ++++++++------------------------------------------
+ 1 file changed, 8 insertions(+), 47 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 8cf32e0..f4ff66e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1896,46 +1896,8 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+     parser->m_parsingStatus.parsing = XML_PARSING;
+   }
+ 
+-  if (len == 0) {
+-    parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+-    if (! isFinal)
+-      return XML_STATUS_OK;
+-    parser->m_positionPtr = parser->m_bufferPtr;
+-    parser->m_parseEndPtr = parser->m_bufferEnd;
+-
+-    /* If data are left over from last buffer, and we now know that these
+-       data are the final chunk of input, then we have to check them again
+-       to detect errors based on that fact.
+-    */
+-    parser->m_errorCode
+-        = callProcessor(parser, parser->m_bufferPtr, parser->m_parseEndPtr,
+-                        &parser->m_bufferPtr);
+-
+-    if (parser->m_errorCode == XML_ERROR_NONE) {
+-      switch (parser->m_parsingStatus.parsing) {
+-      case XML_SUSPENDED:
+-        /* While we added no new data, the finalBuffer flag may have caused
+-         * us to parse previously-unparsed data in the internal buffer.
+-         * If that triggered a callback to the application, it would have
+-         * had an opportunity to suspend parsing. */
+-        XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr,
+-                          parser->m_bufferPtr, &parser->m_position);
+-        parser->m_positionPtr = parser->m_bufferPtr;
+-        return XML_STATUS_SUSPENDED;
+-      case XML_INITIALIZED:
+-      case XML_PARSING:
+-        parser->m_parsingStatus.parsing = XML_FINISHED;
+-        /* fall through */
+-      default:
+-        return XML_STATUS_OK;
+-      }
+-    }
+-    parser->m_eventEndPtr = parser->m_eventPtr;
+-    parser->m_processor = errorProcessor;
+-    return XML_STATUS_ERROR;
+-  }
+ #ifndef XML_CONTEXT_BYTES
+-  else if (parser->m_bufferPtr == parser->m_bufferEnd) {
++  if (parser->m_bufferPtr == parser->m_bufferEnd) {
+     const char *end;
+     int nLeftOver;
+     enum XML_Status result;
+@@ -2006,15 +1968,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+     return result;
+   }
+ #endif /* not defined XML_CONTEXT_BYTES */
+-  else {
+-    void *buff = XML_GetBuffer(parser, len);
+-    if (buff == NULL)
+-      return XML_STATUS_ERROR;
+-    else {
+-      memcpy(buff, s, len);
+-      return XML_ParseBuffer(parser, len, isFinal);
+-    }
++  void *buff = XML_GetBuffer(parser, len);
++  if (buff == NULL)
++    return XML_STATUS_ERROR;
++  if (len > 0) {
++    assert(s != NULL); // make sure s==NULL && len!=0 was rejected above
++    memcpy(buff, s, len);
+   }
++  return XML_ParseBuffer(parser, len, isFinal);
+ }
+ 
+ enum XML_Status XMLCALL
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
new file mode 100644
index 0000000000..9c1157faac
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
@@ -0,0 +1,52 @@
+From ad9c01be8ee5d3d5cac2bfd3949ad764541d35e7 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow 
+Date: Thu, 26 Oct 2023 13:55:02 +0200
+Subject: [PATCH]  Make external entity parser inherit partial token heuristic 
+ setting
+
+The test is essentially a copy of the existing test for the setter,
+adapted to run on the external parser instead of the original one.
+
+Suggested-by: Sebastian Pipping 
+CI-fighting-assistance-by: Sebastian Pipping 
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ad9c01be8ee5d3d5cac2bfd3949ad764541d35e7]
+
+Signed-off-by: Meenali Gupta 
+---
+ lib/xmlparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index f4ff66e..6746d70 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1346,6 +1346,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      to worry which hash secrets each table has.
+   */
+   unsigned long oldhash_secret_salt;
++  XML_Bool oldReparseDeferralEnabled;
+ 
+   /* Validate the oldParser parameter before we pull everything out of it */
+   if (oldParser == NULL)
+@@ -1390,6 +1391,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      to worry which hash secrets each table has.
+   */
+   oldhash_secret_salt = parser->m_hash_secret_salt;
++  oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled;
+ 
+ #ifdef XML_DTD
+   if (! context)
+@@ -1442,6 +1444,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+   parser->m_defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
+   parser->m_ns_triplets = oldns_triplets;
+   parser->m_hash_secret_salt = oldhash_secret_salt;
++  parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled;
+   parser->m_parentParser = oldParser;
+ #ifdef XML_DTD
+   parser->m_paramEntityParsing = oldParamEntityParsing;
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
new file mode 100644
index 0000000000..3fbf69de08
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
@@ -0,0 +1,111 @@
+From 60b74209899a67d426d208662674b55a5eed918c Mon Sep 17 00:00:00 2001
+From: Snild Dolkow 
+Date: Wed, 4 Oct 2023 16:00:14 +0200
+Subject: [PATCH] Bypass partial token heuristic when close to maximum buffer 
+ size
+
+For huge tokens, we may end up in a situation where the partial token
+parse deferral heuristic demands more bytes than Expat's maximum buffer
+size (currently ~half of INT_MAX) could fit.
+
+INT_MAX/2 is 1024 MiB on most systems. Clearly, a token of 950 MiB could
+fit in that buffer, but the reparse threshold might be such that
+callProcessor() will defer it, allowing the app to keep filling the
+buffer until XML_GetBuffer() eventually returns a memory error.
+
+By bypassing the heuristic when we're getting close to the maximum
+buffer size, it will once again be possible to parse tokens in the size
+range INT_MAX/2/ratio < size < INT_MAX/2 reliably.
+
+We subtract the last buffer fill size as a way to detect that the next
+XML_GetBuffer() call has a risk of returning a memory error -- assuming
+that the application is likely to keep using the same (or smaller) fill.
+
+We subtract XML_CONTEXT_BYTES because that's the maximum amount of bytes
+that could remain at the start of the buffer, preceding the partial
+token. Technically, it could be fewer bytes, but XML_CONTEXT_BYTES is
+normally small relative to INT_MAX, and is much simpler to use.
+
+Co-authored-by: Sebastian Pipping 
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/60b74209899a67d426d208662674b55a5eed918c]
+
+Signed-off-by: Meenali Gupta 
+---
+ lib/xmlparse.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 6746d70..32c57f6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -205,6 +205,8 @@ typedef char ICHAR;
+ /* Do safe (NULL-aware) pointer arithmetic */
+ #define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0)
+ 
++#define EXPAT_MIN(a, b) (((a) < (b)) ? (a) : (b))
++
+ #include "internal.h"
+ #include "xmltok.h"
+ #include "xmlrole.h"
+@@ -634,6 +636,7 @@ struct XML_ParserStruct {
+   const char *m_parseEndPtr;
+   size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
+   XML_Bool m_reparseDeferralEnabled;
++  int m_lastBufferRequestSize;
+   XML_Char *m_dataBuf;
+   XML_Char *m_dataBufEnd;
+   XML_StartElementHandler m_startElementHandler;
+@@ -975,7 +978,18 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+     // Heuristic: don't try to parse a partial token again until the amount of
+     // available data has increased significantly.
+     const size_t had_before = parser->m_partialTokenBytesBefore;
+-    const bool enough = (have_now >= 2 * had_before);
++    // ...but *do* try anyway if we're close to reaching the max buffer size.
++    size_t close_to_maxbuf = INT_MAX / 2 + (INT_MAX & 1); // round up
++#if XML_CONTEXT_BYTES > 0
++    // subtract XML_CONTEXT_BYTES, but don't go below zero
++    close_to_maxbuf -= EXPAT_MIN(close_to_maxbuf, XML_CONTEXT_BYTES);
++#endif
++    // subtract the last buffer fill size, but don't go below zero
++    // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
++    close_to_maxbuf
++        -= EXPAT_MIN(close_to_maxbuf, (size_t)parser->m_lastBufferRequestSize);
++    const bool enough
++        = (have_now >= 2 * had_before) || (have_now > close_to_maxbuf);
+ 
+     if (! enough) {
+       *endPtr = start; // callers may expect this to be set
+@@ -1177,6 +1191,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+   parser->m_parseEndPtr = NULL;
+   parser->m_partialTokenBytesBefore = 0;
+   parser->m_reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
++  parser->m_lastBufferRequestSize = 0;
+   parser->m_declElementType = NULL;
+   parser->m_declAttributeId = NULL;
+   parser->m_declEntity = NULL;
+@@ -1911,6 +1926,9 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+       parser->m_processor = errorProcessor;
+       return XML_STATUS_ERROR;
+     }
++    // though this isn't a buffer request, we assume that `len` is the app's
++    // preferred buffer fill size, and therefore save it here.
++    parser->m_lastBufferRequestSize = len;
+     parser->m_parseEndByteIndex += len;
+     parser->m_positionPtr = s;
+     parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+@@ -2064,6 +2082,9 @@ XML_GetBuffer(XML_Parser parser, int len) {
+   default:;
+   }
+ 
++  // whether or not the request succeeds, `len` seems to be the app's preferred
++  // buffer fill size; remember it.
++  parser->m_lastBufferRequestSize = len;
+   if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)
+       || parser->m_buffer == NULL) {
+ #ifdef XML_CONTEXT_BYTES
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
new file mode 100644
index 0000000000..800aaff544
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
@@ -0,0 +1,89 @@
+From 3d8141d26a3b01ff948e00956cb0723a89dadf7f Mon Sep 17 00:00:00 2001
+From: Snild Dolkow 
+Date: Mon, 20 Nov 2023 16:11:24 +0100
+Subject: [PATCH] Bypass partial token heuristic when nearing full buffer
+
+...instead of only when approaching the maximum buffer size INT/2+1.
+
+We'd like to give applications a chance to finish parsing a large token
+before buffer reallocation, in case the reallocation fails.
+
+By bypassing the reparse deferral heuristic when getting close to the
+filling the buffer, we give them this chance -- if the whole token is
+present in the buffer, it will be parsed at that time.
+
+This may come at the cost of some extra reparse attempts. For a token
+of n bytes, these extra parses cause us to scan over a maximum of
+2n bytes (... + n/8 + n/4 + n/2 + n). Therefore, parsing of big tokens
+remains O(n) in regard how many bytes we scan in attempts to parse. The
+cost in reality is lower than that, since the reparses that happen due
+to the bypass will affect m_partialTokenBytesBefore, delaying the next
+ratio-based reparse. Furthermore, only the first token that "breaks
+through" a buffer ceiling takes that extra reparse attempt; subsequent
+large tokens will only bypass the heuristic if they manage to hit the
+new buffer ceiling.
+
+Note that this cost analysis depends on the assumption that Expat grows
+its buffer by doubling it (or, more generally, grows it exponentially).
+If this changes, the cost of this bypass may increase. Hopefully, this
+would be caught by test_big_tokens_take_linear_time or the new test.
+
+The bypass logic assumes that the application uses a consistent fill.
+If the app increases its fill size, it may miss the bypass (and the
+normal heuristic will apply). If the app decreases its fill size, the
+bypass may be hit multiple times for the same buffer size. The very
+worst case would be to always fill half of the remaining buffer space,
+in which case parsing of a large n-byte token becomes O(n log n).
+
+As an added bonus, the new test case should be faster than the old one,
+since it doesn't have to go all the way to 1GiB to check the behavior.
+
+Finally, this change necessitated a small modification to two existing
+tests related to reparse deferral. These tests are testing the deferral
+enabled setting, and assume that reparsing will not happen for any other
+reason. By pre-growing the buffer, we make sure that this new deferral
+does not affect those test cases.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3d8141d26a3b01ff948e00956cb0723a89dadf7f]
+
+Signed-off-by: Meenali Gupta 
+---
+ lib/xmlparse.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 32c57f6..2830c1e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -978,18 +978,18 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+     // Heuristic: don't try to parse a partial token again until the amount of
+     // available data has increased significantly.
+     const size_t had_before = parser->m_partialTokenBytesBefore;
+-    // ...but *do* try anyway if we're close to reaching the max buffer size.
+-    size_t close_to_maxbuf = INT_MAX / 2 + (INT_MAX & 1); // round up
++    // ...but *do* try anyway if we're close to causing a reallocation.
++    size_t available_buffer
++        = EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ #if XML_CONTEXT_BYTES > 0
+-    // subtract XML_CONTEXT_BYTES, but don't go below zero
+-    close_to_maxbuf -= EXPAT_MIN(close_to_maxbuf, XML_CONTEXT_BYTES);
++      available_buffer -= EXPAT_MIN(available_buffer, XML_CONTEXT_BYTES);
+ #endif
+-    // subtract the last buffer fill size, but don't go below zero
++    available_buffer
++        += EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd);
+     // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
+-    close_to_maxbuf
+-        -= EXPAT_MIN(close_to_maxbuf, (size_t)parser->m_lastBufferRequestSize);
+     const bool enough
+-        = (have_now >= 2 * had_before) || (have_now > close_to_maxbuf);
++         = (have_now >= 2 * had_before)
++          || ((size_t)parser->m_lastBufferRequestSize > available_buffer);
+ 
+     if (! enough) {
+       *endPtr = start; // callers may expect this to be set
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
new file mode 100644
index 0000000000..8693e9449e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
@@ -0,0 +1,87 @@
+From 119ae277abaabd4d17b2e64300fec712ef403b28 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow 
+Date: Thu, 28 Sep 2023 18:26:19 +0200
+Subject: [PATCH] Grow buffer based on current size Until now, the buffer size
+ to grow to has been calculated based on the distance from the current parse
+ position to the end of the buffer. This means that the size of any
+ already-parsed data was not considered, leading to inconsistent buffer
+ growth.
+
+There was also a special case in XML_Parse() when XML_CONTEXT_BYTES was
+zero, where the buffer size would be set to twice the incoming string
+length. This patch replaces this with an XML_GetBuffer() call.
+
+Growing the buffer based on its total size makes its growth consistent.
+
+The commit includes a test that checks that we can reach the max buffer
+size (usually INT_MAX/2 + 1) regardless of previously parsed content.
+
+GitHub CI couldn't allocate the full 1GiB with MinGW/wine32, though it
+works locally with the same compiler and wine version. As a workaround,
+the test tries to malloc 1GiB, and reduces `maxbuf` to 512MiB in case
+of failure.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/119ae277abaabd4d17b2e64300fec712ef403b28]
+
+Signed-off-by: Meenali Gupta 
+---
+ lib/xmlparse.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2830c1e..81f9bb3 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1961,23 +1961,22 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+                       &parser->m_position);
+     nLeftOver = s + len - end;
+     if (nLeftOver) {
+-      if (parser->m_buffer == NULL
+-          || nLeftOver > parser->m_bufferLim - parser->m_buffer) {
+-        /* avoid _signed_ integer overflow */
+-        char *temp = NULL;
+-        const int bytesToAllocate = (int)((unsigned)len * 2U);
+-        if (bytesToAllocate > 0) {
+-          temp = (char *)REALLOC(parser, parser->m_buffer, bytesToAllocate);
+-        }
+-        if (temp == NULL) {
+-          parser->m_errorCode = XML_ERROR_NO_MEMORY;
+-          parser->m_eventPtr = parser->m_eventEndPtr = NULL;
+-          parser->m_processor = errorProcessor;
+-          return XML_STATUS_ERROR;
+-        }
+-        parser->m_buffer = temp;
+-        parser->m_bufferLim = parser->m_buffer + bytesToAllocate;
++       // Back up and restore the parsing status to avoid XML_ERROR_SUSPENDED
++      // (and XML_ERROR_FINISHED) from XML_GetBuffer.
++      const enum XML_Parsing originalStatus = parser->m_parsingStatus.parsing;
++      parser->m_parsingStatus.parsing = XML_PARSING;
++      void *const temp = XML_GetBuffer(parser, nLeftOver);
++      parser->m_parsingStatus.parsing = originalStatus;
++      if (temp == NULL) {
++        // NOTE: parser->m_errorCode has already been set by XML_GetBuffer().
++        parser->m_eventPtr = parser->m_eventEndPtr = NULL;
++        parser->m_processor = errorProcessor;
++        return XML_STATUS_ERROR;
+       }
++      // Since we know that the buffer was empty and XML_CONTEXT_BYTES is 0, we
++      // don't have any data to preserve, and can copy straight into the start
++      // of the buffer rather than the GetBuffer return pointer (which may be
++      // pointing further into the allocated buffer).
+       memcpy(parser->m_buffer, end, nLeftOver);
+     }
+     parser->m_bufferPtr = parser->m_buffer;
+@@ -2135,7 +2134,7 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     } else {
+       char *newBuf;
+       int bufferSize
+-          = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferPtr);
++          = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer);
+       if (bufferSize == 0)
+         bufferSize = INIT_BUFFER_SIZE;
+       do {
+-- 
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 31e989cfe2..b7b5cce925 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -22,6 +22,18 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
 	   file://CVE-2023-52426-009.patch \
 	   file://CVE-2023-52426-010.patch \
 	   file://CVE-2023-52426-011.patch \
+	   file://CVE-2023-52425-0001.patch \
+           file://CVE-2023-52425-0002.patch \
+           file://CVE-2023-52425-0003.patch \
+           file://CVE-2023-52425-0004.patch \
+           file://CVE-2023-52425-0005.patch \
+           file://CVE-2023-52425-0006.patch \
+           file://CVE-2023-52425-0007.patch \
+           file://CVE-2023-52425-0008.patch \
+           file://CVE-2023-52425-0009.patch \
+           file://CVE-2023-52425-0010.patch \
+           file://CVE-2023-52425-0011.patch \
+	   file://CVE-2023-52425-0012.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"

From patchwork Wed Apr  3 03:46:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41940
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EAC55C6FD1F
	for ; Wed,  3 Apr 2024 03:47:23 +0000 (UTC)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
 [209.85.214.175])
 by mx.groups.io with SMTP id smtpd.web11.3080.1712116035923211560
 for ;
 Tue, 02 Apr 2024 20:47:15 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=wC6l6bLe;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.175,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f175.google.com with SMTP id
 d9443c01a7336-1e28be94d32so4782685ad.0
        for ;
 Tue, 02 Apr 2024 20:47:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116035;
 x=1712720835; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=gu+lrcjhJOsV7w38XKhqvtdUtzYjui1rQ3W75hcG/rs=;
        b=wC6l6bLe0aVMOQfc/SeZyGF+LUPmpfv2Nhe6pWYtRetKtsCPwbi0AMcG68nOQqLlrw
         iBWmpWHpEhIsdCdGXvzyyE1EBMY6Rd0o+Zi3s8+I+ckZpnmxNoWFZyv64H5jFNzmx2/m
         nHMaCcouC9A/CiCX6cynzLSq9y72PgFYTvQYRrnZd42Z93kWUNSSKFm7zTeMFY1wTRvK
         UMzQb4V9Zi7aRPGnoNzwWccXqH380/sR/cjUvKj025q5nJy2yW77Y6GliWf6aBzjnFln
         Gn5o7sN942eLMDET0962fRNM42vffZgch/QigypFnZAGF/8hw1yhL7bfcmfqYkSGRirD
         F1LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116035; x=1712720835;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=gu+lrcjhJOsV7w38XKhqvtdUtzYjui1rQ3W75hcG/rs=;
        b=hLvnxsKrrXngpoy1AJbjHM2/rviGwyFiZPCCYgHR3Lk+cmg/HndWmJqmvtsw/gqm1Q
         PS4ejRBoby9dfM+GKecmapnAr1QefWw1DosyNuKdruOkC/ebdDGNn+wsYSNY/wUjAXHt
         rZHYJY6OyK+EXbKFL98L0duh0SOSUD/VLuOdK6ZWOgc/RK6z9f/B6PkEcbGWUEy6yA5U
         A7O6XdSBRNWfz/rHPieTvIXwj91L14TigPkJJF+4/a74Gp9GtYK5HoWO5c1GEkpQl2Yk
         QdI8Fx2ZFFwNpAvvEg8wzEV/2bczHYXp7affhHLsa5vV8h2kRpa9kXMV1JQAynwpxis+
         mGIg==
X-Gm-Message-State: AOJu0YxPbNBS5kE8fwGM0ZYSJdc5RfjLoIgyzVh+EKlqP76hHGgnyCQ5
	U8ZVudLPqm1WSzHkPOKGCFwnGUzV7goKML5UOYD+R65evZTTMtFpRpstxSLDI+mqQ/7eTBQeuaL
	tD2E=
X-Google-Smtp-Source: 
 AGHT+IENpwg3X49bmzxL/aamm/w13zUAwC1F50gsByXaa0obkCQsIf1rIZJERFI943m8/88Twljstw==
X-Received: by 2002:a17:902:e74e:b0:1e2:86f5:9d00 with SMTP id
 p14-20020a170902e74e00b001e286f59d00mr2889250plf.25.1712116035266;
        Tue, 02 Apr 2024 20:47:15 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.14
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:15 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 4/9] curl: backport Debian patch for
 CVE-2024-2398
Date: Tue,  2 Apr 2024 17:46:57 -1000
Message-Id: 
 <67026cbb62e166b6a9f5509708531ebe0f36c36d.1712115855.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197897

From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2024-2398

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security
Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 .../curl/curl/CVE-2024-2398.patch             | 89 +++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 0000000000..ea55117f4d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,89 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing 
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri 
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -555,6 +555,15 @@ static int set_transfer_url(struct Curl_
+   return 0;
+ }
+ 
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; ipush_headers_used; i++)
++    free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+                         struct connectdata *conn,
+                         const nghttp2_push_promise *frame)
+@@ -568,7 +577,6 @@ static int push_promise(struct Curl_easy
+     struct curl_pushheaders heads;
+     CURLMcode rc;
+     struct http_conn *httpc;
+-    size_t i;
+     /* clone the parent */
+     struct Curl_easy *newhandle = duphandle(data);
+     if(!newhandle) {
+@@ -604,11 +612,7 @@ static int push_promise(struct Curl_easy
+     Curl_set_in_callback(data, false);
+ 
+     /* free the headers again */
+-    for(i = 0; ipush_headers_used; i++)
+-      free(stream->push_headers[i]);
+-    free(stream->push_headers);
+-    stream->push_headers = NULL;
+-    stream->push_headers_used = 0;
++    free_push_headers(stream);
+ 
+     if(rv) {
+       DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1045,10 +1049,10 @@ static int on_header(nghttp2_session *se
+             stream->push_headers_alloc) {
+       char **headp;
+       stream->push_headers_alloc *= 2;
+-      headp = Curl_saferealloc(stream->push_headers,
+-                               stream->push_headers_alloc * sizeof(char *));
++      headp = realloc(stream->push_headers,
++                      stream->push_headers_alloc * sizeof(char *));
+       if(!headp) {
+-        stream->push_headers = NULL;
++        free_push_headers(stream);
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+       }
+       stream->push_headers = headp;
+@@ -1214,15 +1218,7 @@ void Curl_http2_done(struct Curl_easy *d
+      setup */
+   Curl_dyn_free(&http->header_recvbuf);
+   Curl_dyn_free(&http->trailer_recvbuf);
+-  if(http->push_headers) {
+-    /* if they weren't used and then freed before */
+-    for(; http->push_headers_used > 0; --http->push_headers_used) {
+-      free(http->push_headers[http->push_headers_used - 1]);
+-    }
+-    free(http->push_headers);
+-    http->push_headers = NULL;
+-  }
+-
++  free_push_headers(http);
+   if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+      !httpc->h2) /* not HTTP/2 ? */
+     return;
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 383cf415d9..72d8544e08 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
            file://CVE-2023-46219-0001.patch \
            file://CVE-2023-46219-0002.patch \
            file://CVE-2023-46219-0003.patch \
+           file://CVE-2024-2398.patch \
            "
 SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 

From patchwork Wed Apr  3 03:46:58 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41941
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03C04CD1288
	for ; Wed,  3 Apr 2024 03:47:24 +0000 (UTC)
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
 by mx.groups.io with SMTP id smtpd.web10.3147.1712116037565834819
 for ;
 Tue, 02 Apr 2024 20:47:17 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=O6EGda6I;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.176,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-6ea8ee55812so5901752b3a.0
        for ;
 Tue, 02 Apr 2024 20:47:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116037;
 x=1712720837; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1ZNgdTk8Zu6i94fZnTMsuYYRjim1b9EkpC0WJmIz7QU=;
        b=O6EGda6Ihfguiq7f8dn+2EkD2ymsw23r/+c7wMvqkYvw7xeVfQWwbOus/7nLS0dw+3
         T8ILHTx9AN+M1XGpU4cCje1zidvuRvjEJLdbNNRS9IjRrA+kvpxN64d/XKhxVnx/bOm/
         jQxZaSw49acq5eTAJc1BJURAhaf19sPmHZuaqANmU/aWmsImVYmkw3bQ1JrxxD+gDJPX
         5bFJ3qETHy6YaMyvNtlvEYDG5/Utul02eWJhl6HTPzfX2zpLV3m5g8YEisgDE7H3SWj3
         Dutog1FKiDrj0tsA7RHruayrz/VKzWoUcBI36BB/xH4K/GtEgSlX0lJXHS+WNIsjtGSK
         VEYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116037; x=1712720837;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=1ZNgdTk8Zu6i94fZnTMsuYYRjim1b9EkpC0WJmIz7QU=;
        b=A5LVA2VZvy6Zkt+l7/pSfGsV3KeX5pbo9EPBv19LGR2G+dSL+jenLXk1ifFO8m9XgW
         4xuln2Eqd+zBjWK5bCu+rIoNDvjZiBmaI8ZiGudvTmrwsl9qLIxpDRVEHiVM/LjK4KB/
         DdrY68o/RrrHC4VjhGWgkEYPCc3uY3ecliyPlEq0/EKvzCX757e1BubA10ycOlwjaXX5
         Ajaq8VV10Fe3CHE/uieiqaHZ5P0Noai3yv/BNm9oKe1HctUEDKRoGl5BeOX8IizXrOud
         rUd4hU4Xe3eM1QrVtbqoClqHjUvjW4tyyv1IdmA0PlVYKfApEUltx2t5aJnGdkDkDV1J
         ldTw==
X-Gm-Message-State: AOJu0Yx1pHX+tbNljWprmEAQP/wor5lArF2W4S8NLC6bbOudO5adkp70
	QPfRSBQMPxCgcifl8OuyDwZIZzvDzvpHpgTsgo8PJG8qULTHmQz4EN94l6AwIuE7G3qaLTEfvSV
	mNcc=
X-Google-Smtp-Source: 
 AGHT+IEeeFrlsoWiC1Qk9zeOqRBl9doxqWMxENWTMbvwXgv8I04bvQCgT0qs6BEAGkaZUOdx/jzV+g==
X-Received: by 2002:a05:6a20:3948:b0:1a3:aecb:db60 with SMTP id
 r8-20020a056a20394800b001a3aecbdb60mr18641281pzg.9.1712116036761;
        Tue, 02 Apr 2024 20:47:16 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.16
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:16 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683
Date: Tue,  2 Apr 2024 17:46:58 -1000
Message-Id: 
 
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:24 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197898

From: Vijay Anusuri 

Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a

Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2023-6683.patch             | 92 +++++++++++++++++++
 2 files changed, 93 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ad6b310137..4747310ae4 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -108,6 +108,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \
            file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \
            file://CVE-2023-42467.patch \
+           file://CVE-2023-6683.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
new file mode 100644
index 0000000000..e528574076
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
@@ -0,0 +1,92 @@
+From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
+From: Fiona Ebner 
+Date: Wed, 24 Jan 2024 11:57:48 +0100
+Subject: [PATCH] ui/clipboard: mark type as not available when there is no
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
+message with len=0. In qemu_clipboard_set_data(), the clipboard info
+will be updated setting data to NULL (because g_memdup(data, size)
+returns NULL when size is 0). If the client does not set the
+VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
+the 'request' callback for the clipboard peer is not initialized.
+Later, because data is NULL, qemu_clipboard_request() can be reached
+via vdagent_chr_write() and vdagent_clipboard_recv_request() and
+there, the clipboard owner's 'request' callback will be attempted to
+be called, but that is a NULL pointer.
+
+In particular, this can happen when using the KRDC (22.12.3) VNC
+client.
+
+Another scenario leading to the same issue is with two clients (say
+noVNC and KRDC):
+
+The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
+initializes its cbpeer.
+
+The KRDC client does not, but triggers a vnc_client_cut_text() (note
+it's not the _ext variant)). There, a new clipboard info with it as
+the 'owner' is created and via qemu_clipboard_set_data() is called,
+which in turn calls qemu_clipboard_update() with that info.
+
+In qemu_clipboard_update(), the notifier for the noVNC client will be
+called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
+noVNC client. The 'owner' in that clipboard info is the clipboard peer
+for the KRDC client, which did not initialize the 'request' function.
+That sounds correct to me, it is the owner of that clipboard info.
+
+Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
+the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
+passes), that clipboard info is passed to qemu_clipboard_request() and
+the original segfault still happens.
+
+Fix the issue by handling updates with size 0 differently. In
+particular, mark in the clipboard info that the type is not available.
+
+While at it, switch to g_memdup2(), because g_memdup() is deprecated.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2023-6683
+Reported-by: Markus Frank 
+Suggested-by: Marc-André Lureau 
+Signed-off-by: Fiona Ebner 
+Reviewed-by: Marc-André Lureau 
+Tested-by: Markus Frank 
+Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a]
+CVE: CVE-2023-6683
+Signed-off-by: Vijay Anusuri 
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf80..b3f6fa3c9e1 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+     }
+ 
+     g_free(info->types[type].data);
+-    info->types[type].data = g_memdup(data, size);
+-    info->types[type].size = size;
+-    info->types[type].available = true;
++    if (size) {
++        info->types[type].data = g_memdup2(data, size);
++        info->types[type].size = size;
++        info->types[type].available = true;
++    } else {
++        info->types[type].data = NULL;
++        info->types[type].size = 0;
++        info->types[type].available = false;
++    }
+ 
+     if (update) {
+         qemu_clipboard_update(info);
+-- 
+GitLab
+

From patchwork Wed Apr  3 03:46:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41945
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 23A4FCD1297
	for ; Wed,  3 Apr 2024 03:47:24 +0000 (UTC)
Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com
 [209.85.215.182])
 by mx.groups.io with SMTP id smtpd.web10.3149.1712116039422029020
 for ;
 Tue, 02 Apr 2024 20:47:19 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=oa6olUZc;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f182.google.com with SMTP id
 41be03b00d2f7-5c229dabbb6so3458959a12.0
        for ;
 Tue, 02 Apr 2024 20:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116039;
 x=1712720839; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7r4nU8fXM1MsKezT0q7vabW2gJ1mVRc98IB1hhcEUJo=;
        b=oa6olUZcpdPDxBTbYNsFZLzsgyLH83mo2fxPxbgPJbPvaGKF4cJ2qQe+46ITe1xV1w
         4La5Ebabf0DKNj2KCLPcVpz1t9AODPGsito1gWNIrmbWGYGlb21mib71ikxFJNMA+KWz
         zrkCPvea3yQirQpIaDRAMAq96pfWeMvVua3yLWf4kTFNSxI1k6sVf9+f+Yux+A8UNTcK
         32ShU0hB9Ss5tUEonyuCT4+7hRUZyvX4yGY1IH5S7AiCvkfqvmdEDUv3JylRDVPT2iuY
         hYtlnlL4O85W12aj3oLbOaxS00oc4JG89ZRDrO9iO6KNwI1baV9hhoCT7bo7TFGddsMO
         0Iiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116039; x=1712720839;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=7r4nU8fXM1MsKezT0q7vabW2gJ1mVRc98IB1hhcEUJo=;
        b=JSlJGuDez6EDJK3FcOppir67+CT08EfzX6nRQJmdNh6PArX66i0wltT62GFR5HGSfQ
         d8zzkuVu/g7YgO7SbVAprwp8C5IdXOJmuq+q1S53xkyuf1yQdkQHX2vcfwAphj83VFuM
         RnFt6m8+y5+oq8KgZQS4AhMakbSbjJT7FcodXmgfu3G2kMGxgEFQf10f23HfmGdJV532
         /Rk34Zx82BZjeqYtTspT9fwbkN8DKHP0rn0T2VzkbweKCZChBTIqjeBDmKjyQnhrq6WM
         XMJQ0XMXiepooM/02QTL5PcKFhqa89eKqBLTFSFAbzExIWIInkCX5+CmYry3L4EYKUum
         hNuA==
X-Gm-Message-State: AOJu0YzjeuMWnFfLWlSVKjmbsXetHh90es7Cg1NwFFOSba3N73mBJzSL
	b7uZtLkau5VwySEWBIhAFydUp7YwSjEZWmASZKRkXgaqVJO/rd86yrbg7XvQKp7laJkIdoVxqET
	M8SI=
X-Google-Smtp-Source: 
 AGHT+IEpJX7k1yvXa35+TTequ2pv7FreWovK2iZn+hypRcy3kEE1jt7yVhLlcYqRC9AXAZa8LFefkg==
X-Received: by 2002:a05:6a20:7d9f:b0:1a7:2637:7587 with SMTP id
 v31-20020a056a207d9f00b001a726377587mr2635118pzj.3.1712116038325;
        Tue, 02 Apr 2024 20:47:18 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.17
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:17 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277
Date: Tue,  2 Apr 2024 17:46:59 -1000
Message-Id: 
 <4728df36bb3888df4d3cc0db1fd66138e865c511.1712115855.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:24 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197899

From: Lee Chee Yang 

import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz

Signed-off-by: Lee Chee Yang 
Signed-off-by: Steve Sakoman 
---
 .../libtiff/tiff/CVE-2023-52356.patch         |  54 ++++++
 .../libtiff/tiff/CVE-2023-6277-1.patch        | 178 ++++++++++++++++++
 .../libtiff/tiff/CVE-2023-6277-2.patch        | 151 +++++++++++++++
 .../libtiff/tiff/CVE-2023-6277-3.patch        |  46 +++++
 .../libtiff/tiff/CVE-2023-6277-4.patch        |  93 +++++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   5 +
 6 files changed, 527 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..4eb7d79c8f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,54 @@
+CVE: CVE-2023-52356
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a 
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang 
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.3.0.orig/libtiff/tif_getimage.c
++++ tiff-4.3.0/libtiff/tif_getimage.c
+@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
+     }
+ 
+     if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
++        if (row >= img.height)
++        {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
+ 	    return( 0 );
+     }
+ 
++    if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..453df897ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,178 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a 
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang 
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus 
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 	datasize=(*count)*typesize;
+ 	assert((tmsize_t)datasize>0);
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of requested memory is not greater than file size.
++	 */
++	uint64_t filesize = TIFFGetFileSize(tif);
++	if (datasize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++						"Requested memory size for tag %d (0x%x) %" PRIu32
++						" is greather than filesize %" PRIu64
++						". Memory not allocated, tag not read",
++						direntry->tdir_tag, direntry->tdir_tag, datasize,
++						filesize);
++		return (TIFFReadDirEntryErrAlloc);
++	}
++
+ 	if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
+ 		return TIFFReadDirEntryErrIo;
+ 
+@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of requested memory is not greater than file size. */
++	uint64_t filesize = TIFFGetFileSize(tif);
++	uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
++	if (allocsize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, module,
++						"Requested memory size for StripByteCounts of %" PRIu64
++						" is greather than filesize %" PRIu64
++						". Memory not allocated",
++						allocsize, filesize);
++		return -1;
++	}
++
+ 	if (td->td_stripbytecount_p)
+ 		_TIFFfree(td->td_stripbytecount_p);
+ 	td->td_stripbytecount_p = (uint64_t*)
+@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ 
+ 	if (td->td_compression != COMPRESSION_NONE) {
+ 		uint64_t space;
+-		uint64_t filesize;
+ 		uint16_t n;
+-		filesize = TIFFGetFileSize(tif);
+ 		if (!(tif->tif_flags&TIFF_BIGTIFF))
+ 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+ 		else
+@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ 			dircount16 = (uint16_t)dircount64;
+ 			dirsize = 20;
+ 		}
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64_t filesize = TIFFGetFileSize(tif);
++		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for TIFF directory of %" PRIu64
++				" is greather than filesize %" PRIu64
++				". Memory not allocated, TIFF directory not read",
++				allocsize, filesize);
++			return 0;
++		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
+ 		if (origdir == NULL)
+@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ 			             "Sanity check on directory count failed, zero tag directories not supported");
+ 			return 0;
+ 		}
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64_t filesize = TIFFGetFileSize(tif);
++		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for TIFF directory of %" PRIu64
++				" is greather than filesize %" PRIu64
++				". Memory not allocated, TIFF directory not read",
++				allocsize, filesize);
++			return 0;
++		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 						dirsize,
+ 						"to read TIFF directory");
+@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ 			}
+ 		}
+ 	}
++	/* No check against filesize needed here because "dir" should have same size
++	 * than "origdir" checked above. */
+ 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+ 						sizeof(TIFFDirEntry),
+ 						"to read TIFF directory");
+@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ 			return(0);
+ 		}
+ 
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		uint64_t filesize = TIFFGetFileSize(tif);
++		uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(tif->tif_clientdata, module,
++							"Requested memory size for StripArray of %" PRIu64
++							" is greather than filesize %" PRIu64
++							". Memory not allocated",
++							allocsize, filesize);
++			_TIFFfree(data);
++			return (0);
++		}
+ 		resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+ 		if (resizeddata==0) {
+ 			_TIFFfree(data);
+@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
+     }
+     bytecount = last_offset + last_bytecount - offset;
+ 
++	/* Before allocating a huge amount of memory for corrupted files, check if
++	 * size of StripByteCount and StripOffset tags is not greater than
++	 * file size.
++	 */
++	uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
++	uint64_t filesize = TIFFGetFileSize(tif);
++	if (allocsize > filesize)
++	{
++		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++						"Requested memory size for StripByteCount and "
++						"StripOffsets %" PRIu64
++						" is greather than filesize %" PRIu64
++						". Memory not allocated",
++						allocsize, filesize);
++		return;
++	}
++
+     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
+                                              "for chopped \"StripByteCounts\" array");
+     newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..ad39c1c4dd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
@@ -0,0 +1,151 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa 
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang 
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Tue, 31 Oct 2023 19:47:22 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Ammends 5320c9d89c054fa805d037d84c57da874470b01a
+
+This fixes a performance regression caught by the GDAL regression test
+suite.
+---
+ libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 48 insertions(+), 35 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -866,19 +866,22 @@ static enum TIFFReadDirEntryErr TIFFRead
+ 	datasize=(*count)*typesize;
+ 	assert((tmsize_t)datasize>0);
+ 
+-	/* Before allocating a huge amount of memory for corrupted files, check if
+-	 * size of requested memory is not greater than file size.
+-	 */
+-	uint64_t filesize = TIFFGetFileSize(tif);
+-	if (datasize > filesize)
++	if (datasize > 100 * 1024 * 1024)
+ 	{
+-		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+-						"Requested memory size for tag %d (0x%x) %" PRIu32
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated, tag not read",
+-						direntry->tdir_tag, direntry->tdir_tag, datasize,
+-						filesize);
+-		return (TIFFReadDirEntryErrAlloc);
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size.
++		 */
++		const uint64_t filesize = TIFFGetFileSize(tif);
++		if (datasize > filesize)
++		{
++			TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++							"Requested memory size for tag %d (0x%x) %" PRIu32
++							" is greater than filesize %" PRIu64
++							". Memory not allocated, tag not read",
++							direntry->tdir_tag, direntry->tdir_tag, datasize,
++							filesize);
++			return (TIFFReadDirEntryErrAlloc);
++		}
+ 	}
+ 
+ 	if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
+@@ -4608,18 +4611,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+-	/* Before allocating a huge amount of memory for corrupted files, check if
+-	 * size of requested memory is not greater than file size. */
+-	uint64_t filesize = TIFFGetFileSize(tif);
+-	uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+-	if (allocsize > filesize)
++	const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
++	uint64_t filesize = 0;
++	if (allocsize > 100 * 1024 * 1024)
+ 	{
+-		TIFFWarningExt(tif->tif_clientdata, module,
+-						"Requested memory size for StripByteCounts of %" PRIu64
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated",
+-						allocsize, filesize);
+-		return -1;
++		/* Before allocating a huge amount of memory for corrupted files, check
++		 * if size of requested memory is not greater than file size. */
++		filesize = TIFFGetFileSize(tif);
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(
++				tif->tif_clientdata, module,
++				"Requested memory size for StripByteCounts of %" PRIu64
++				" is greater than filesize %" PRIu64 ". Memory not allocated",
++				allocsize, filesize);
++			return -1;
++		}
+ 	}
+ 
+ 	if (td->td_stripbytecount_p)
+@@ -4666,11 +4673,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+                             return -1;
+ 			space+=datasize;
+ 		}
++		if (filesize == 0)
++			filesize = TIFFGetFileSize(tif);
+ 		if( filesize < space )
+-                    /* we should perhaps return in error ? */
+-                    space = filesize;
+-                else
+-                    space = filesize - space;
++			/* we should perhaps return in error ? */
++			space = filesize;
++		else
++			space = filesize - space;
+ 		if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ 			space /= td->td_samplesperpixel;
+ 		for (strip = 0; strip < td->td_nstrips; strip++)
+@@ -4940,19 +4949,23 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ 			dircount16 = (uint16_t)dircount64;
+ 			dirsize = 20;
+ 		}
+-		/* Before allocating a huge amount of memory for corrupted files, check
+-		 * if size of requested memory is not greater than file size. */
+-		uint64_t filesize = TIFFGetFileSize(tif);
+-		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+-		if (allocsize > filesize)
++		const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++		if (allocsize > 100 * 1024 * 1024)
+ 		{
+-			TIFFWarningExt(
+-				tif->tif_clientdata, module,
+-				"Requested memory size for TIFF directory of %" PRIu64
+-				" is greather than filesize %" PRIu64
+-				". Memory not allocated, TIFF directory not read",
+-				allocsize, filesize);
+-			return 0;
++			/* Before allocating a huge amount of memory for corrupted files,
++			 * check if size of requested memory is not greater than file size.
++			 */
++			const uint64_t filesize = TIFFGetFileSize(tif);
++			if (allocsize > filesize)
++			{
++				TIFFWarningExt(
++					tif->tif_clientdata, module,
++					"Requested memory size for TIFF directory of %" PRIu64
++					" is greater than filesize %" PRIu64
++					". Memory not allocated, TIFF directory not read",
++					allocsize, filesize);
++				return 0;
++			}
+ 		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..71eba2f34e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang 
+
+Backport of:
+
+From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Tue, 31 Oct 2023 20:13:45 +0100
+Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
+ check
+
+CoverityScan rightly points that the max value for dircount16 * dirsize
+is 4096 * 20. That's small enough not to do any check
+---
+ libtiff/tif_dirread.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -4949,24 +4949,6 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ 			dircount16 = (uint16_t)dircount64;
+ 			dirsize = 20;
+ 		}
+-		const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+-		if (allocsize > 100 * 1024 * 1024)
+-		{
+-			/* Before allocating a huge amount of memory for corrupted files,
+-			 * check if size of requested memory is not greater than file size.
+-			 */
+-			const uint64_t filesize = TIFFGetFileSize(tif);
+-			if (allocsize > filesize)
+-			{
+-				TIFFWarningExt(
+-					tif->tif_clientdata, module,
+-					"Requested memory size for TIFF directory of %" PRIu64
+-					" is greater than filesize %" PRIu64
+-					". Memory not allocated, TIFF directory not read",
+-					allocsize, filesize);
+-				return 0;
+-			}
+-		}
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
+ 		if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..61f48726e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
@@ -0,0 +1,93 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang 
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Tue, 31 Oct 2023 21:30:58 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+---
+ libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -5905,19 +5905,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ 			return(0);
+ 		}
+ 
+-		/* Before allocating a huge amount of memory for corrupted files, check
+-		 * if size of requested memory is not greater than file size. */
+-		uint64_t filesize = TIFFGetFileSize(tif);
+-		uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+-		if (allocsize > filesize)
++		const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
++		if (allocsize > 100 * 1024 * 1024)
+ 		{
+-			TIFFWarningExt(tif->tif_clientdata, module,
+-							"Requested memory size for StripArray of %" PRIu64
+-							" is greather than filesize %" PRIu64
+-							". Memory not allocated",
+-							allocsize, filesize);
+-			_TIFFfree(data);
+-			return (0);
++			/* Before allocating a huge amount of memory for corrupted files,
++			 * check if size of requested memory is not greater than file size.
++			 */
++			const uint64_t filesize = TIFFGetFileSize(tif);
++			if (allocsize > filesize)
++			{
++				TIFFWarningExt(
++					tif->tif_clientdata, module,
++					"Requested memory size for StripArray of %" PRIu64
++					" is greater than filesize %" PRIu64
++					". Memory not allocated",
++					allocsize, filesize);
++				_TIFFfree(data);
++				return (0);
++			}
+ 		}
+ 		resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+ 		if (resizeddata==0) {
+@@ -6018,17 +6023,20 @@ static void allocChoppedUpStripArrays(TI
+ 	 * size of StripByteCount and StripOffset tags is not greater than
+ 	 * file size.
+ 	 */
+-	uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+-	uint64_t filesize = TIFFGetFileSize(tif);
+-	if (allocsize > filesize)
++	const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
++	if (allocsize > 100 * 1024 * 1024)
+ 	{
+-		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+-						"Requested memory size for StripByteCount and "
+-						"StripOffsets %" PRIu64
+-						" is greather than filesize %" PRIu64
+-						". Memory not allocated",
+-						allocsize, filesize);
+-		return;
++		const uint64_t filesize = TIFFGetFileSize(tif);
++		if (allocsize > filesize)
++		{
++			TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++							"Requested memory size for StripByteCount and "
++							"StripOffsets %" PRIu64
++							" is greater than filesize %" PRIu64
++							". Memory not allocated",
++							allocsize, filesize);
++			return;
++		}
+ 	}
+ 
+     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index d284100ab2..b4af179e76 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -48,6 +48,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-40745.patch \
            file://CVE-2023-41175.patch \
            file://CVE-2023-6228.patch \
+           file://CVE-2023-52356.patch \
+           file://CVE-2023-6277-1.patch \
+           file://CVE-2023-6277-2.patch \
+           file://CVE-2023-6277-3.patch \
+           file://CVE-2023-6277-4.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"

From patchwork Wed Apr  3 03:47:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41943
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2F9F1CD1296
	for ; Wed,  3 Apr 2024 03:47:24 +0000 (UTC)
Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com
 [209.85.215.181])
 by mx.groups.io with SMTP id smtpd.web11.3081.1712116040624482129
 for ;
 Tue, 02 Apr 2024 20:47:20 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=HVoe1ycT;
 spf=softfail (domain: sakoman.com, ip: 209.85.215.181,
 mailfrom: steve@sakoman.com)
Received: by mail-pg1-f181.google.com with SMTP id
 41be03b00d2f7-5cddc5455aeso3740081a12.1
        for ;
 Tue, 02 Apr 2024 20:47:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116040;
 x=1712720840; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=YWkt7m7/bKYlSSCLvgPJ9WuroZYBIJeBzoeLfhN7HYY=;
        b=HVoe1ycTEzhsY9sj5VTcP9Ys6gzEb4xtVDb8ILexcPj6DqdECf/e3YbGsOzbOT2PLJ
         LOhPG/sLF/ZWFNoDRe04srJFjDeS/DtwC/A5vTC4Y9DHWFV5eoaHo+sdGOI/yEwIVvmi
         r9dVJ51eUudL8Y1PYt0mBmFjXjwjIKchzdOT5oxQH6HzdxUZmXBWtHtgzVJT5LWzpaSJ
         s+5ePrps04iIxuPbG6ckwNM7djW2R9rVfUqKg2y9DwlfYHHjdTVE3gqdQxnzu51Kry/s
         OMIbVVL/AToro/QmYZFLGBBklXVdIpLnhBmfgpPqiwA0fgzLSE24Gj8slS7cq4LKuB+N
         tCqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116040; x=1712720840;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YWkt7m7/bKYlSSCLvgPJ9WuroZYBIJeBzoeLfhN7HYY=;
        b=I/WpqZxPFgfE5sqzxTpHExEhVa+AIxWitT3oPSjR237sHPZt0g1zFNgXm79btB///W
         HvIfwnZb8m47mHfO4FsUzjxBt+3OSdj2dxG80VopdeGFW7Ow6Q0IzfchbVPKRC3l4VRU
         zot5dssSgYyAnde3wseAjDYUCApX6MPQcncMtOYoON8WZufTNQCfodsEwpH622f881zf
         w8Fyj1+ZNe6S46e/+cRHnn7hrKQJLW8NeiERPMP3i4upHnNl2Qrax9kP5EXc6GkI5jb4
         rE+QBet6eiXXRTO1txysqRZhCI+u6IMJ9wkhIvb0/n7uSsOr4MmuIaBtvzT7NdCzfOTM
         wCMg==
X-Gm-Message-State: AOJu0Yx3Z5f7D2AWANMQ4jADNWOnrnhEsC520HpQaCYMQSJn/RYOdjYu
	Fwuoijk2ktFvNpLrHIbPHv3gJYDG0wx6S++qDhX33f3xKZgJhjHJwW/i576GCQ2SjznYr99VBFy
	jG6A=
X-Google-Smtp-Source: 
 AGHT+IH2ODI9ox904aP0ZAZW7AqqkwKDn3ZmwuzqjaAKjrKJoCS2qxmMQM0ihYlkq3J3W0TDQFNIWQ==
X-Received: by 2002:a05:6a20:4393:b0:1a3:579f:2c5c with SMTP id
 i19-20020a056a20439300b001a3579f2c5cmr14315165pzl.53.1712116040035;
        Tue, 02 Apr 2024 20:47:20 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.19
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:19 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18
Date: Tue,  2 Apr 2024 17:47:00 -1000
Message-Id: 
 
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:24 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197900

From: Tan Wen Yan 

https://github.com/urllib3/urllib3/releases/tag/1.26.18

Major changes in python3-urllib3 1.26.18:
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803)

(cherry picked from OE-Core rev: 74da05b63634c248910594456dae286947f33da5)

Signed-off-by: Tan Wen Yan 
Signed-off-by: Steve Sakoman 
Signed-off-by: Lee Chee Yang 
Signed-off-by: Steve Sakoman 
---
 .../{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)

diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-urllib3_1.26.17.bb
rename to meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
index 57b166870a..d384b5eb2f 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c"
 
-SRC_URI[sha256sum] = "24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21"
+SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0"
 
 inherit pypi setuptools3
 

From patchwork Wed Apr  3 03:47:01 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41942
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 37DB1CD129B
	for ; Wed,  3 Apr 2024 03:47:24 +0000 (UTC)
Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com
 [209.85.210.172])
 by mx.groups.io with SMTP id smtpd.web10.3151.1712116042163959508
 for ;
 Tue, 02 Apr 2024 20:47:22 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=rLy3rqgn;
 spf=softfail (domain: sakoman.com, ip: 209.85.210.172,
 mailfrom: steve@sakoman.com)
Received: by mail-pf1-f172.google.com with SMTP id
 d2e1a72fcca58-6eaf9565e6bso2301552b3a.2
        for ;
 Tue, 02 Apr 2024 20:47:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116041;
 x=1712720841; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Dxl0WwG5/0omQ/ag/WxdsxDBXZKXBrZYgQ+YPQk85Xg=;
        b=rLy3rqgnRpo4XEl22GqJ9tdAIcyMW+HsPDiH0JUjRBx7GOvnHs8HQAgSGqIEgc/CEt
         2QsI2X5cpAm4QhriBJFesxH/oHPVG0LEJG76HjMIINAy5SzSeDTksY+OVHb4wrwtbVst
         W1+92LS8gkY/q/BkxqbA8vy3zF0mHNORQFClTVyUnVRiRAvgmpmz7t/xGGD3yr2xsSnv
         vf0WMAvw7AM9elELrhWfxbl6iCIKCLa2TinUH+1bTyCU7GzI7gSyI5tO1LCF/X1QVabD
         YoErU8DiQ5KsY22itqi2lM3btNbYnDqYcgsdRjbL226VaINyVDcyeFbG91/Yi7fd8G+O
         hfbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116041; x=1712720841;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Dxl0WwG5/0omQ/ag/WxdsxDBXZKXBrZYgQ+YPQk85Xg=;
        b=URQlJo9tFN0OLk31KlL/JBJmAy2ZZ2DrzJ9BbqJoZ5fsmRStVYEIClAUx54v6HPkKk
         Kvd/lVLo2W0l7+ozTqrD6pE06W5tOS93unU1cbLkPAdxS5D9fnmUZiP3JpV1KYh0M+/T
         OH+mCRGfPgLS9TninOXHwieGkAc/96C73aaFow29GtIOru+7eUcbop90R1Hvk1+B5DA1
         d38bKzBdVyDUgrwCCgmTBjEo88YWPN9VLP+dTpTxUvBS+EeZUR8h/isklgP6+YKxziBu
         Ttlgy+Zps7RcfuJyX9ohsLcX8Ib+8LVBcWgjcg53/kQrjiDhNnItw/cuCGuX8Uqdd2pb
         yzyg==
X-Gm-Message-State: AOJu0Yx9UDuKa8Ne3IFW/R01E2lzCqaHA0VZxJ/1IZfL5Il8+RSu1kM6
	znv/6UYlgJ77Tlx9B3Bba7ulHX5SWGx9+GpD5ao9UFZ+rctEMhZXAnVti7OatAEPXCjFy3E2+m/
	Bx+s=
X-Google-Smtp-Source: 
 AGHT+IEW2OVzxKLAVy2O/Asw/VfN8V1vzB5kB0kGd9jEdidIVbUca7LQ+PDJFSxlnrRsbGopGglg8A==
X-Received: by 2002:a05:6a20:1591:b0:1a3:c43b:2c2c with SMTP id
 h17-20020a056a20159100b001a3c43b2c2cmr14433600pzj.47.1712116041526;
        Tue, 02 Apr 2024 20:47:21 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.20
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:21 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR
Date: Tue,  2 Apr 2024 17:47:01 -1000
Message-Id: 
 <7af8e24d6c60a01e398b10a57939947fb156feec.1712115855.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:24 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197901

From: Claus Stovgaard 

When using the gcc-sanitizers as part of the SDK on a Linux with a newer
kernel, the ASAN fails randomly. This was seen on Ubuntu 22.04.

This is also described at
https://stackoverflow.com/questions/77894856/possible-bug-in-gcc-sanitizers

Backport the fix from LLVM project, as gcc has not yet backported
anything for the 11 series.

Signed-off-by: Claus Stovgaard 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/gcc/gcc-11.4.inc        |  1 +
 .../gcc/gcc/0031-gcc-sanitizers-fix.patch     | 63 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch

diff --git a/meta/recipes-devtools/gcc/gcc-11.4.inc b/meta/recipes-devtools/gcc/gcc-11.4.inc
index 88310e6b79..fd6a3e92e3 100644
--- a/meta/recipes-devtools/gcc/gcc-11.4.inc
+++ b/meta/recipes-devtools/gcc/gcc-11.4.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
            file://0028-debug-101473-apply-debug-prefix-maps-before-checksum.patch \
            file://0029-Fix-install-path-of-linux64.h.patch \
            file://0030-rust-recursion-limit.patch \
+           file://0031-gcc-sanitizers-fix.patch \
            file://0001-CVE-2021-42574.patch \
            file://0002-CVE-2021-42574.patch \
            file://0003-CVE-2021-42574.patch \
diff --git a/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
new file mode 100644
index 0000000000..d63618132a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
@@ -0,0 +1,63 @@
+From fb77ca05ffb4f8e666878f2f6718a9fb4d686839 Mon Sep 17 00:00:00 2001
+From: Thurston Dang 
+Date: Thu, 13 Apr 2023 23:55:01 +0000
+Subject: [PATCH] Re-land 'ASan: move allocator base to avoid conflict with
+ high-entropy ASLR for x86-64 Linux'
+
+D147984 was reverted because it broke lit tests on Mac. This revision is based on D147984
+but maintains the old behavior for Apple.
+
+Note that, per the follow-up discussion with MaskRay in D147984, this patch excludes Apple
+but includes other platforms (e.g., aarch64, MIPS64) and OSes (e.g., FreeBSD, S390X), not just
+x86-64 Linux.
+
+Original commit message from D147984:
+
+Users have discovered [*] that when CONFIG_ARCH_MMAP_RND_BITS == 32,
+it will frequently conflict with ASan's allocator on x86-64 Linux, because the
+PIE program segment base address of 0x555555555554 plus an ASLR shift of up to
+((2**32) * 4K == 0x100000000000) will sometimes exceed ASan's hardcoded
+base address of 0x600000000000. We fix this by simply moving the allocator base
+to 0x500000000000, which is below the PIE program segment base address. This is
+cleaner than trying to move it to another location that is sandwiched between
+the PIE program and library segments, because if either of those grow too large,
+it will collide with the allocator region.
+
+Note that we will never need to change this base address again (unless we want to increase
+the size of the allocator), because ASLR cannot be set above 32-bits for x86-64 Linux (the
+PIE program segment and library segments would collide with each other; see also
+ARCH_MMAP_RND_BITS_MAX in https://github.com/torvalds/linux/blob/master/arch/x86/Kconfig).
+
+[*] see https://b.corp.google.com/issues/276925478
+and https://groups.google.com/a/google.com/g/chrome-os-gardeners/c/BbfzCP3dEeo/m/h3C_vVUxCQAJ
+
+Differential Revision: https://reviews.llvm.org/D148280
+
+Upstream-Status: Backport from llvm-project: https://github.com/llvm/llvm-project/commit/fb77ca05ffb4f8e666878f2f6718a9fb4d686839
+Signed-off-by: Claus Stovgaard 
+---
+ libsanitizer/asan/asan_allocator.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libsanitizer/asan/asan_allocator.h b/libsanitizer/asan/asan_allocator.h
+index 0b4dbf03bb9d53..6a12a6c6025283 100644
+--- a/libsanitizer/asan/asan_allocator.h
++++ b/libsanitizer/asan/asan_allocator.h
+@@ -143,11 +143,15 @@ typedef DefaultSizeClassMap SizeClassMap;
+ const uptr kAllocatorSpace = ~(uptr)0;
+ const uptr kAllocatorSize  =  0x8000000000ULL;  // 500G
+ typedef DefaultSizeClassMap SizeClassMap;
+-# else
++#  elif SANITIZER_APPLE
+ const uptr kAllocatorSpace = 0x600000000000ULL;
+ const uptr kAllocatorSize  =  0x40000000000ULL;  // 4T.
+ typedef DefaultSizeClassMap SizeClassMap;
+-# endif
++#  else
++const uptr kAllocatorSpace = 0x500000000000ULL;
++const uptr kAllocatorSize = 0x40000000000ULL;  // 4T.
++typedef DefaultSizeClassMap SizeClassMap;
++#  endif
+ template 
+ struct AP64 {  // Allocator64 parameters. Deliberately using a short name.
+   static const uptr kSpaceBeg = kAllocatorSpace;

From patchwork Wed Apr  3 03:47:02 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman 
X-Patchwork-Id: 41946
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3DC22CD129A
	for ; Wed,  3 Apr 2024 03:47:24 +0000 (UTC)
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com
 [209.85.214.169])
 by mx.groups.io with SMTP id smtpd.web10.3153.1712116043887177932
 for ;
 Tue, 02 Apr 2024 20:47:23 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=xOPvYXSY;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.169,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f169.google.com with SMTP id
 d9443c01a7336-1def3340682so51208025ad.1
        for ;
 Tue, 02 Apr 2024 20:47:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1712116043;
 x=1712720843; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=6Ph0czHdOf2Qeclxwvzh9biefYclXK0tLGws/Hnaq6Y=;
        b=xOPvYXSYPzMhcQRVLnxLKUtIzeuBY7n9UYSiwLT+asNdCxK8SJKUDzwYcni7VYIJp0
         dvV+8eAJc38jCCt7+grhEzY1adoT/Av9wSS/1xxYjyBomqDEMu+x25PShG9O8hFSyj4z
         YgCkIhm8RkFu5oNjAsSYQSob/o5QeJgc7MpYKqUAZyGenJjkgxA7b9lZ2ULBKxXJo7Ib
         CcD5xSs4Hw7F0q4Ok/sZo7Zq+jRkm1yqzskXZmzfPBnvuaRHGScEcWDQ44jUCJQNMByg
         W5yk6x+vsXG6rHwG0V6q3j8efng63C0CB2lga6lkc8O41kcgLROIaB4BoBAx1BauRpNl
         i3og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1712116043; x=1712720843;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=6Ph0czHdOf2Qeclxwvzh9biefYclXK0tLGws/Hnaq6Y=;
        b=ey6jFAD9OUHOYvztztf41VfAVwOC21nvVGBK0YO+JlCnUlAbj1GBm2cjd3O58NFxLY
         jbOd2/IVAg9lVywym0BVPpBQhUvkndnkpLEnyqEtKopyvWrcUZUO3zf8QZC+g7q1xfGn
         QIzq5M9Oi8BvicIKjZNlV68JdccwQMXl8zHs90x11x569d+t1JCEChuD3ar8VAxaugTv
         syKoGPZebSYfYGCSgNLlR4zE5q9romF9YdosJLkb97+t54y/OuchK+SkZ4tiV6NtKxsz
         8aHTH+yYmMjhMMmDOWPM0xu/R+OGX4L5dXjl/t5b+5BsZUqyG2lBKAQFQg3v74Z4/RHT
         OtxQ==
X-Gm-Message-State: AOJu0YxYKdoOHb4PsHyVZWNNCl5bODaJhVTcKUS5VmAVrvXknO8KOmNx
	dij2tqFBpBeI53YqJLNIUI9IKi7tcpMpSHqBsp95jcLUrjbEXSdsqehH13A74Tq//r5cgjoYLC+
	SLDg=
X-Google-Smtp-Source: 
 AGHT+IG/SOSTFV5h7uK34uSOUQZkQomNG59uFnwAV6bvGdSlRw4otGdVajAFn5Te8+LFateqjiJpjQ==
X-Received: by 2002:a17:903:24c:b0:1e2:573:eef7 with SMTP id
 j12-20020a170903024c00b001e20573eef7mr19540511plh.0.1712116043116;
        Tue, 02 Apr 2024 20:47:23 -0700 (PDT)
Received: from xps13.. (067-053-223-136.biz.spectrum.com. [67.53.223.136])
        by smtp.gmail.com with ESMTPSA id
 m11-20020a170902c44b00b001e278fb17c5sm2326128plm.150.2024.04.02.20.47.22
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Apr 2024 20:47:22 -0700 (PDT)
From: Steve Sakoman 
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 9/9] common-licenses: Backport missing license
Date: Tue,  2 Apr 2024 17:47:02 -1000
Message-Id: 
 <26a878cbfbb3bc7a6e892e105577ebf8138ce150.1712115855.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: 
References: 
MIME-Version: 1.0
List-Id: 
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 ; Wed, 03 Apr 2024 03:47:24 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/197902

From: Colin McAllister 

Backports missing license from master to kirkstone.

Signed-off-by: Colin McAllister 
Signed-off-by: Steve Sakoman 
---
 .../LGPL-3.0-with-zeromq-exception            | 181 ++++++++++++++++++
 1 file changed, 181 insertions(+)
 create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception

diff --git a/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception b/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
new file mode 100644
index 0000000000..02e943c4ac
--- /dev/null
+++ b/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
@@ -0,0 +1,181 @@
+		         GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. 
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions. 
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version. 
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
+--------------------------------------------------------------------------------
+
+           SPECIAL EXCEPTION GRANTED BY COPYRIGHT HOLDERS
+
+As a special exception, copyright holders give you permission to link this
+library with independent modules to produce an executable, regardless of
+the license terms of these independent modules, and to copy and distribute
+the resulting executable under terms of your choice, provided that you also
+meet, for each linked independent module, the terms and conditions of
+the license of that module. An independent module is a module which is not
+derived from or based on this library. If you modify this library, you must
+extend this exception to your version of the library.
+
+Note: this exception relieves you of any obligations under sections 4 and 5
+of this license, and section 6 of the GNU General Public License.