From patchwork Fri Jul 29 15:24:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10780 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1355C19F2A for ; Fri, 29 Jul 2022 15:24:38 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web11.500.1659108271432543580 for ; Fri, 29 Jul 2022 08:24:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=rVE5Cq/m; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id b9so4894543pfp.10 for ; Fri, 29 Jul 2022 08:24:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=cEjLQ+/Sd4laApuAeriXnmN8R7EzeO3UvTrJRmDC+mY=; b=rVE5Cq/mBY7FnS2ply4XIZc+284CtO3s6Ao/SmhfOlLKi484IrzqTI/6DwKRY7CqjU sKu5ywyI3ucG7/QO3nX3M0TT3CfAOPEk4b1d+3j89xsGzaqQKFwRSdJzXOcNTqFF7fdY qHS/sSqtrAzbBmO6LPM1n5tzpYbkImGEnIkts5QpEfI4BJpDGTUqwD1Rjf7Th2oKaH0o LC7gznQGtbIZt0cQxmmxLgLTd9luVcPVFEu0NUUOqMa8mnhN2D9jA0PVImkQ70oTND70 E5WlFk5xjKjBfCjQXoAVPUhGAj4d7/E5tw99QirmQNbuqpd4SaTW9KdeuckBxJZRwMJ/ XDeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cEjLQ+/Sd4laApuAeriXnmN8R7EzeO3UvTrJRmDC+mY=; b=CdrXLCBVoi9cLTrSfsa8JWEvOYhCZ4RUqUYqilVHGYRid382k/GgRjIYM5/p8f2fng o89IJ7cWAXwXbneXr+ACqLTP6fBWSF/wT6D4fJKyywiKh1fxf0nRxaFc/LOlJjxgdMc+ 1CIBhLgxrvnXy70/WwJvvc1VEGAU/RG/FNYQpqdxBnV98xlFOOROH0O94nyeXjtbNZvk 3brx3CXnboB9WRM81k8hYea18mdZfiLoc6VU1nzW1j5r7eWUPoClnKDPNMza1/QaU20A 1iUb9lP2/vrn6hw52uOXwPJ3x1ySVCAkYvQSJu7p5YxRpIifzq+sZx+3PeU3WGZYfhTW y0kg== X-Gm-Message-State: AJIora+Ua4bdVgg28crijMmpbjTsTg+mHMNc1RA7s3aR+BdSHaUB9ctE fDW4C+pIU5eJ7Qu8Zp0KzWF/qY2o5F0/EvLZ X-Google-Smtp-Source: AGRyM1uFMGF76pY+fAZEpJhsz4Il/GsYb1FWOuoBI6gmyh6GcM847m7yKp7GYBXt0/5RT5zTPRN2BQ== X-Received: by 2002:a05:6a00:88f:b0:52c:6962:274f with SMTP id q15-20020a056a00088f00b0052c6962274fmr4146875pfj.12.1659108270141; Fri, 29 Jul 2022 08:24:30 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/7] gnupg: CVE-2022-34903 possible signature forgery via injection into the status line Date: Fri, 29 Jul 2022 05:24:05 -1000 Message-Id: <2bf155d59e33972bbb1780e34753199b5a9192a0.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168666 From: Hitendra Prajapati Source: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git MR: 119424 Type: Security Fix Disposition: Backport from https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b ChangeID: 97de66d6aa74e12cb1bf82fe85ee62e2530fccf6 Description: CVE-2022-34903 gnupg: possible signature forgery via injection into the status line. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../gnupg/gnupg/CVE-2022-34903.patch | 44 +++++++++++++++++++ meta/recipes-support/gnupg/gnupg_2.2.27.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch new file mode 100644 index 0000000000..5992949d35 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch @@ -0,0 +1,44 @@ +From 2f05fc96b1332caf97176841b1152da3f0aa16a8 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 22 Jul 2022 17:52:36 +0530 +Subject: [PATCH] CVE-2022-34903 + +Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=34c649b3601383cd11dbc76221747ec16fd68e1b] +CVE: CVE-2022-34903 +Signed-off-by: Hitendra Prajapati +--- + g10/cpr.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/g10/cpr.c b/g10/cpr.c +index d502e8b..bc4b715 100644 +--- a/g10/cpr.c ++++ b/g10/cpr.c +@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string, + } + first = 0; + } +- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) ++ for (esc=0, s=buffer, n=len; n; s++, n--) + { + if (*s == '%' || *(const byte*)s <= lower_limit + || *(const byte*)s == 127 ) + esc = 1; + if (wrap && ++count > wrap) +- { +- dowrap=1; +- break; +- } +- } +- if (esc) +- { +- s--; n++; ++ dowrap=1; ++ if (esc || dowrap) ++ break; + } + if (s != buffer) + es_fwrite (buffer, s-buffer, 1, statusfp); +-- +2.25.1 + diff --git a/meta/recipes-support/gnupg/gnupg_2.2.27.bb b/meta/recipes-support/gnupg/gnupg_2.2.27.bb index 18bb855769..bd09b02017 100644 --- a/meta/recipes-support/gnupg/gnupg_2.2.27.bb +++ b/meta/recipes-support/gnupg/gnupg_2.2.27.bb @@ -20,6 +20,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0003-dirmngr-uses-libgpg-error.patch \ file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \ + file://CVE-2022-34903.patch \ " SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \ file://relocate.patch" From patchwork Fri Jul 29 15:24:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10779 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B66D3C19F2C for ; Fri, 29 Jul 2022 15:24:38 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web08.506.1659108274699100891 for ; Fri, 29 Jul 2022 08:24:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=w6P9VDPI; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id e132so4269906pgc.5 for ; Fri, 29 Jul 2022 08:24:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=n+7nvP+18rz7hujGRV7Zq5MJJohzc9aIL5TikuPDitY=; b=w6P9VDPI/YxZJi1HKeEdyx6MiaekFZvMTeDw4uFTVilMfmb99c+nG2OvbJCeBv8TO4 xMuzGa2MUp7vmYCVpV+ahv4osT5/eGrpX8NzGz+lR4MHVS1OhZ1l2iOfpscvTCKtvo9X f8L/olAGdsPlp3faZDY8l/mYES8krQZTlUnKAZ24UP3vnPihZDLNhGoJgHpO21BxZYSy p+UixkFpWiJygyJtQBgoidbn4Ysrdy7XXo9wE5JDScDC2/q5zxw5buJvFO+7aXEv17o9 kCmOsuiacPEeBxQJaSbzPtTz3EjggLoREGQ5zBwvSLZL/VBHPqnA7wn1XrrNvzyULIsY 8rig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=n+7nvP+18rz7hujGRV7Zq5MJJohzc9aIL5TikuPDitY=; b=4YmHLD4avA6A4irSFvljbkZuLB70rRo/2vkEiPYT90OcjHcVtFw1083Ub22gp1UlMc UTkfp+F2skRU+ckKkbEANSR/K0FSb7jZgDiOtqP7wMT6CVGFjxbz2dSzmeZYRHLLdROZ h4/Vk2XDK3fUrt2iCODVmMs9s2UeAhYBckl0Ur8EfRkOZ81iGXKlX0Jhb72W81uWNFij pY+iguR+VGI1Ik9/VDTxURFaomybQ1tpc9/ViqjX3/woXBTeCREaYPadAzisdsmkzQjC 0Xgdl3iK5RzkKsFhxxUcyE/K8vzAjbBzO8++Eg/j3vzUHG5RwsrtKKZpf+vegyASt/W3 WL/g== X-Gm-Message-State: AJIora97ATiZIAssNO7HW6YlLz46Mdrc8sWe0AUkl6FvcT3bRG8hwyBA /ndfhY1m0Y+rik4+QIbNG6+iDl8BkmVlO0BT X-Google-Smtp-Source: AGRyM1soGwE8Xp7VZqKi1eRD1otJC0MPalkE0PNmnm0R1+7WKmhbuTTj2Y2U4TtKSo6y45TSZgiehQ== X-Received: by 2002:a05:6a00:989:b0:52b:1d96:a8da with SMTP id u9-20020a056a00098900b0052b1d96a8damr4013820pfg.86.1659108273479; Fri, 29 Jul 2022 08:24:33 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/7] libjpeg-turbo: Fix CVE-2021-46822 Date: Fri, 29 Jul 2022 05:24:06 -1000 Message-Id: <80d14a9aaff273daca68c2e860701d51fee45851.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168667 From: "Sana.Kazi" Add patch to fix CVE-2021-46822 Link: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch Signed-off-by: Bhabu Bindu Signed-off-by: Steve Sakoman --- .../jpeg/files/CVE-2021-46822.patch | 133 ++++++++++++++++++ .../jpeg/libjpeg-turbo_2.0.4.bb | 1 + 2 files changed, 134 insertions(+) create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch diff --git a/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch new file mode 100644 index 0000000000..68cf89e628 --- /dev/null +++ b/meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch @@ -0,0 +1,133 @@ +From f35fd27ec641c42d6b115bfa595e483ec58188d2 Mon Sep 17 00:00:00 2001 +From: DRC +Date: Tue, 6 Apr 2021 12:51:03 -0500 +Subject: [PATCH] tjLoadImage: Fix issues w/loading 16-bit PPMs/PGMs + +- The PPM reader now throws an error rather than segfaulting (due to a + buffer overrun) if an application attempts to load a 16-bit PPM file + into a grayscale uncompressed image buffer. No known applications + allowed that (not even the test applications in libjpeg-turbo), + because that mode of operation was never expected to work and did not + work under any circumstances. (In fact, it was necessary to modify + TJBench in order to reproduce the issue outside of a fuzzing + environment.) This was purely a matter of making the library bow out + gracefully rather than crash if an application tries to do something + really stupid. + +- The PPM reader now throws an error rather than generating incorrect + pixels if an application attempts to load a 16-bit PGM file into an + RGB uncompressed image buffer. + +- The PPM reader now correctly loads 16-bit PPM files into extended + RGB uncompressed image buffers. (Previously it generated incorrect + pixels unless the input colorspace was JCS_RGB or JCS_EXT_RGB.) + +The only way that users could have potentially encountered these issues +was through the tjLoadImage() function. cjpeg and TJBench were +unaffected. + +CVE: CVE-2021-46822 +Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2.patch] +Comment: Refreshed hunks from ChangeLog.md + Refreshed hunks from rdppm.c + +Signed-off-by: Bhabu Bindu + +--- + ChangeLog.md | 10 ++++++++++ + rdppm.c | 26 ++++++++++++++++++++------ + 2 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/ChangeLog.md b/ChangeLog.md +index 968969c6b..12e730a0e 100644 +--- a/ChangeLog.md ++++ b/ChangeLog.md +@@ -44,6 +44,15 @@ + that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a + similar fix for binary PPM/PGM files with maximum values greater than 255. + ++7. The PPM reader now throws an error, rather than segfaulting (due to a buffer ++overrun) or generating incorrect pixels, if an application attempts to use the ++`tjLoadImage()` function to load a 16-bit binary PPM file (a binary PPM file ++with a maximum value greater than 255) into a grayscale image buffer or to load ++a 16-bit binary PGM file into an RGB image buffer. ++ ++8. Fixed an issue in the PPM reader that caused incorrect pixels to be ++generated when using the `tjLoadImage()` function to load a 16-bit binary PPM ++file into an extended RGB image buffer. + + 2.0.3 + ===== +diff --git a/rdppm.c b/rdppm.c +index c4c937e8a..6ac8fdbf7 100644 +--- a/rdppm.c ++++ b/rdppm.c +@@ -5,7 +5,7 @@ + * Copyright (C) 1991-1997, Thomas G. Lane. + * Modified 2009 by Bill Allombert, Guido Vollbeding. + * libjpeg-turbo Modifications: +- * Copyright (C) 2015-2017, 2020, D. R. Commander. ++ * Copyright (C) 2015-2017, 2020-2021, D. R. Commander. + * For conditions of distribution and use, see the accompanying README.ijg + * file. + * +@@ -516,6 +516,11 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + register JSAMPLE *rescale = source->rescale; + JDIMENSION col; + unsigned int maxval = source->maxval; ++ register int rindex = rgb_red[cinfo->in_color_space]; ++ register int gindex = rgb_green[cinfo->in_color_space]; ++ register int bindex = rgb_blue[cinfo->in_color_space]; ++ register int aindex = alpha_index[cinfo->in_color_space]; ++ register int ps = rgb_pixelsize[cinfo->in_color_space]; + + if (!ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width)) + ERREXIT(cinfo, JERR_INPUT_EOF); +@@ -527,17 +532,20 @@ get_word_rgb_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[rindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[gindex] = rescale[temp]; + temp = UCH(*bufferptr++) << 8; + temp |= UCH(*bufferptr++); + if (temp > maxval) + ERREXIT(cinfo, JERR_PPM_OUTOFRANGE); +- *ptr++ = rescale[temp]; ++ ptr[bindex] = rescale[temp]; ++ if (aindex >= 0) ++ ptr[aindex] = 0xFF; ++ ptr += ps; + } + return 1; + } +@@ -624,7 +632,10 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + cinfo->in_color_space = JCS_GRAYSCALE; + TRACEMS2(cinfo, 1, JTRC_PGM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_gray_row; ++ if (cinfo->in_color_space == JCS_GRAYSCALE) ++ source->pub.get_pixel_rows = get_word_gray_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + cinfo->in_color_space == JCS_GRAYSCALE) { + source->pub.get_pixel_rows = get_raw_row; +@@ -657,7 +657,10 @@ + cinfo->in_color_space = JCS_EXT_RGB; + TRACEMS2(cinfo, 1, JTRC_PPM, w, h); + if (maxval > 255) { +- source->pub.get_pixel_rows = get_word_rgb_row; ++ if (IsExtRGB(cinfo->in_color_space)) ++ source->pub.get_pixel_rows = get_word_rgb_row; ++ else ++ ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); + } else if (maxval == MAXJSAMPLE && sizeof(JSAMPLE) == sizeof(U_CHAR) && + (cinfo->in_color_space == JCS_EXT_RGB + #if RGB_RED == 0 && RGB_GREEN == 1 && RGB_BLUE == 2 && RGB_PIXELSIZE == 3 diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb index 3005a8a789..6575582b0c 100644 --- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb +++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb @@ -13,6 +13,7 @@ DEPENDS_append_x86_class-target = " nasm-native" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ file://0001-libjpeg-turbo-fix-package_qa-error.patch \ file://CVE-2020-13790.patch \ + file://CVE-2021-46822.patch \ " SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855" From patchwork Fri Jul 29 15:24:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10781 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF280C00144 for ; Fri, 29 Jul 2022 15:24:48 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web09.483.1659108279283869644 for ; Fri, 29 Jul 2022 08:24:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=OVxwL1mY; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d3so4905153pls.4 for ; Fri, 29 Jul 2022 08:24:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Aq0VjJkJ3Lx6+09PL0ANqyk333sWZKnVMlD1X5K/Yo8=; b=OVxwL1mYojBosXKEufsqUjIaq9hIkkyg0Ur3D4OHT+j3E5LG6rF5B/LPeF68zM18KU IoyKF4szoZ/8n8KEyOOhB5XQpwIl+ZOud5c+duIhnJkAeJRoH2yPT9ubY53awQs73rc+ dHqCIeUq+PtjLCl+5oBIWQBy5SEXrCeqEHAeku123fh0e4XwRaBlSLhH8J/0mPPRw/Pq COM7NGfetB1yEgp4xSLRxp6Si0ClIqDBifitwqFXwbhZHLdHPaJbFeaYhz2uFwdCVF80 l/Kjw85w1OBsFBH5OPggSje1kLkeaNQuCTU8KWU9e4XG16AOE4h1FIdMpbYp6E+Z9RyD 0+7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Aq0VjJkJ3Lx6+09PL0ANqyk333sWZKnVMlD1X5K/Yo8=; b=qLXYlSJbWB5ANXtZB0cfXFrq436RBKWYBHtuoE3baSD+0T1PlWi/r9TXBDYBcwIbNk vlLD/ZlngmYdVqrxoSclXcd3IHGh62V8Anl1ibb5k2BzqUYIoJ2h+9FjrGzcZWYJfW/3 8Y0+HHwNNG5IHr5BWvqzw2/nhYN7a6Im+DQtTVI25rIIN1vkRcIKUVNWsawLOBMTGhEQ tK+c02uCOH/02481fsoeu64f0jFhCqtKr8tRFjRm1midmv8vRvSnlNuWwIYpIuClSFdW zdWBqlexWHI/N80BZHCRN/J5MUInruo5I6U0MJenmaRnAAN5qUd9YTHkbRDOO23/U+C0 4D/w== X-Gm-Message-State: ACgBeo3l308IB/sIcJuEFSZD1aNyCV+NVwB3pTUnQzAmmBywZnh5rUHU c2PlZrC3UHNmEvl3/YFwdpHkgm95a+AUhFgP X-Google-Smtp-Source: AA6agR7H+hVc72Xq0gxhb5gj0PEX4BD4jC9xJZmFSPeMPpU5Cry3GDNZ5Fc8GuEggvSGZXSGbv/mJg== X-Received: by 2002:a17:903:248:b0:168:ce2f:cbd2 with SMTP id j8-20020a170903024800b00168ce2fcbd2mr4347703plh.63.1659108278260; Fri, 29 Jul 2022 08:24:38 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/7] kernel-fitimage.bbclass: add padding algorithm property in config nodes Date: Fri, 29 Jul 2022 05:24:07 -1000 Message-Id: <152765b74c77b4da102fce9c4c61a667e71f26a1.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168668 From: LUIS ENRIQUEZ This allows choosing padding algorithm when building fitImage. It may be pkcs-1.5 or pss. Signed-off-by: LUIS ENRIQUEZ From: LUIS ENRIQUEZ Signed-off-by: Steve Sakoman --- meta/classes/kernel-fitimage.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 5f5e9dd444..7c0d93625b 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -56,6 +56,9 @@ FIT_HASH_ALG ?= "sha256" # fitImage Signature Algo FIT_SIGN_ALG ?= "rsa2048" +# fitImage Padding Algo +FIT_PAD_ALG ?= "pkcs-1.5" + # # Emit the fitImage ITS header # @@ -250,6 +253,7 @@ fitimage_emit_section_config() { conf_csum="${FIT_HASH_ALG}" conf_sign_algo="${FIT_SIGN_ALG}" + conf_padding_algo="${FIT_PAD_ALG}" if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" fi @@ -333,6 +337,7 @@ EOF signature-1 { algo = "${conf_csum},${conf_sign_algo}"; key-name-hint = "${conf_sign_keyname}"; + padding = "${conf_padding_algo}"; ${sign_line} }; EOF From patchwork Fri Jul 29 15:24:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10782 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFE75C3F6B0 for ; Fri, 29 Jul 2022 15:24:48 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.web09.485.1659108284565769086 for ; Fri, 29 Jul 2022 08:24:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=kyi4bcuY; spf=softfail (domain: sakoman.com, ip: 209.85.210.171, mailfrom: steve@sakoman.com) Received: by mail-pf1-f171.google.com with SMTP id k79so687799pfd.8 for ; Fri, 29 Jul 2022 08:24:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=MSKf73ZoxN8cfmaewVWaRrrCZT83aDdfAkBb0TWRI0I=; b=kyi4bcuY09LIerJoKx6pze6h0NKzOg8QQXhfIVAH8MnOy8Ulw5yCmog/P7rHUFa+QV FoYeQIP7FPKftFibCyVCqSpP34ONeuUVb0dUTa2L8uxTXPqvju2z8Q+5RjGF5nbyI15E HoQkt8VT2A08qLEFje3nM9jWdlxyaWH3VoMGa3SydNPpJYZfIxiNIC9ISgMTEMLP4ykv i3au46fUwakzideU+S8Pn4m/z+3owVgMj6uzAUd7EPEkMLFFsqSoNwE6rzlIvIorIw7I LHEp3LCT5qBXK6wZ4zeFy0Vc0yBWbdWyLeXTk3zb0H4jWaeHfdK5sCRpnKwf4VgMpy+E vYSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MSKf73ZoxN8cfmaewVWaRrrCZT83aDdfAkBb0TWRI0I=; b=18PpMl64/JKpmdhyMCCfzmXQ6qBqSI46kQZqywfmpE5C+CKO/VgGYNAKAMCnYNffEs OVcbSO8dmgb8SBtBxUugeuQuSqP63nnq04mg0GhbkqYeNQTB+gjox805q7pUzDoLb8TB dqiWVohAkCtZrnSVcxxIdQd0h8ce1qXmuU9l/zhui7km1HntDA0WvTZcNT/6YyTt/dNs xkDzhfmQdYJVNiCWTv4y7xvK+zgq1WgNM6dnu5wHNOT0PpHwW80yxIdwN19lqOEc5jsK 07cG+ZkoYKSd7zZEKjjRCJysiilF9UjkkFhL7CaJmTfcWKb17BzIOwuTDydkARwoi0K2 yk5A== X-Gm-Message-State: AJIora9pbdgtc0fc9quKlyFjE5cFHK1l3oElqTrKurHXUJrYyLgsUvDQ AfDeXMrqOX9QLOX1pOWLMPlRjNLohyHN5J60 X-Google-Smtp-Source: AGRyM1uUKH7Hu8VGKSEsFvXBT9QY8l7/Uksv53+LIHPc7cgUh9e6eAMr0cluM0sgcMNCllB0GJxeHg== X-Received: by 2002:a62:4e85:0:b0:52b:3245:ba20 with SMTP id c127-20020a624e85000000b0052b3245ba20mr4019797pfb.5.1659108283257; Fri, 29 Jul 2022 08:24:43 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/7] grub2: Fix buffer underflow write in the heap Date: Fri, 29 Jul 2022 05:24:08 -1000 Message-Id: <191db3c58b52fa7c8530d82f7e3e3b24075fdeb4.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168669 From: Hitendra Prajapati Source: https://git.savannah.gnu.org/gitweb/?p=grub.git MR: 119719, 119733, 119689 Type: Security Fix Disposition: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042 && https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6 ChangeID: 97605970cd42776fa449fd8318f2762e32bbd177 Description: Fixed CVEs : CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 Affects "grub2 < 2.06" Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../grub/files/CVE-2021-3695.patch | 178 ++++++++++++++++++ .../grub/files/CVE-2021-3696.patch | 46 +++++ .../grub/files/CVE-2021-3697.patch | 82 ++++++++ meta/recipes-bsp/grub/grub2.inc | 5 +- 4 files changed, 310 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch new file mode 100644 index 0000000000..7d6e805725 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695.patch @@ -0,0 +1,178 @@ +From 0693d672abcf720419f86c56bda6428c540e2bb1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Wed, 20 Jul 2022 10:01:35 +0530 +Subject: [PATCH] CVE-2021-3695 + +Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e623866d9286410156e8b9d2c82d6253a1b22d08] +CVE: CVE-2021-3695 +Signed-off-by: Hitendra Prajapati + + video/readers/png: Drop greyscale support to fix heap out-of-bounds write + +A 16-bit greyscale PNG without alpha is processed in the following loop: + + for (i = 0; i < (data->image_width * data->image_height); + i++, d1 += 4, d2 += 2) +{ + d1[R3] = d2[1]; + d1[G3] = d2[1]; + d1[B3] = d2[1]; +} + +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, +but there are only 3 bytes allocated for storage. This means that image +data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes +out of every 4 following the end of the image. + +This has existed since greyscale support was added in 2013 in commit +3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). + +Saving starfield.png as a 16-bit greyscale image without alpha in the gimp +and attempting to load it causes grub-emu to crash - I don't think this code +has ever worked. + +Delete all PNG greyscale support. + +Fixes: CVE-2021-3695 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 89 ++++------------------------------- + 1 file changed, 8 insertions(+), 81 deletions(-) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 0157ff7..db4a9d4 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -100,7 +100,7 @@ struct grub_png_data + + unsigned image_width, image_height; + int bpp, is_16bit; +- int raw_bytes, is_gray, is_alpha, is_palette; ++ int raw_bytes, is_alpha, is_palette; + int row_bytes, color_bits; + grub_uint8_t *image_data; + +@@ -280,13 +280,13 @@ grub_png_decode_image_header (struct grub_png_data *data) + data->bpp = 3; + else + { +- data->is_gray = 1; +- data->bpp = 1; ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: color type not supported"); + } + + if ((color_bits != 8) && (color_bits != 16) + && (color_bits != 4 +- || !(data->is_gray || data->is_palette))) ++ || !data->is_palette)) + return grub_error (GRUB_ERR_BAD_FILE_TYPE, + "png: bit depth must be 8 or 16"); + +@@ -315,7 +315,7 @@ grub_png_decode_image_header (struct grub_png_data *data) + } + + #ifndef GRUB_CPU_WORDS_BIGENDIAN +- if (data->is_16bit || data->is_gray || data->is_palette) ++ if (data->is_16bit || data->is_palette) + #endif + { + data->image_data = grub_calloc (data->image_height, data->row_bytes); +@@ -859,27 +859,8 @@ grub_png_convert_image (struct grub_png_data *data) + int shift; + int mask = (1 << data->color_bits) - 1; + unsigned j; +- if (data->is_gray) +- { +- /* Generic formula is +- (0xff * i) / ((1U << data->color_bits) - 1) +- but for allowed bit depth of 1, 2 and for it's +- equivalent to +- (0xff / ((1U << data->color_bits) - 1)) * i +- Precompute the multipliers to avoid division. +- */ +- +- const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 }; +- for (i = 0; i < (1U << data->color_bits); i++) +- { +- grub_uint8_t col = multipliers[data->color_bits] * i; +- palette[i][0] = col; +- palette[i][1] = col; +- palette[i][2] = col; +- } +- } +- else +- grub_memcpy (palette, data->palette, 3 << data->color_bits); ++ ++ grub_memcpy (palette, data->palette, 3 << data->color_bits); + d1c = d1; + d2c = d2; + for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3, +@@ -917,61 +898,7 @@ grub_png_convert_image (struct grub_png_data *data) + return; + } + +- if (data->is_gray) +- { +- switch (data->bpp) +- { +- case 4: +- /* 16-bit gray with alpha. */ +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 4) +- { +- d1[R4] = d2[3]; +- d1[G4] = d2[3]; +- d1[B4] = d2[3]; +- d1[A4] = d2[1]; +- } +- break; +- case 2: +- if (data->is_16bit) +- /* 16-bit gray without alpha. */ +- { +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 2) +- { +- d1[R3] = d2[1]; +- d1[G3] = d2[1]; +- d1[B3] = d2[1]; +- } +- } +- else +- /* 8-bit gray with alpha. */ +- { +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 4, d2 += 2) +- { +- d1[R4] = d2[1]; +- d1[G4] = d2[1]; +- d1[B4] = d2[1]; +- d1[A4] = d2[0]; +- } +- } +- break; +- /* 8-bit gray without alpha. */ +- case 1: +- for (i = 0; i < (data->image_width * data->image_height); +- i++, d1 += 3, d2++) +- { +- d1[R3] = d2[0]; +- d1[G3] = d2[0]; +- d1[B3] = d2[0]; +- } +- break; +- } +- return; +- } +- +- { ++ { + /* Only copy the upper 8 bit. */ + #ifndef GRUB_CPU_WORDS_BIGENDIAN + for (i = 0; i < (data->image_width * data->image_height * data->bpp >> 1); +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3696.patch b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch new file mode 100644 index 0000000000..ef6da945c4 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3696.patch @@ -0,0 +1,46 @@ +From b18ce59d6496a9313d75f9497a0efac61dcf4191 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Wed, 20 Jul 2022 10:05:42 +0530 +Subject: [PATCH] CVE-2021-3696 + +Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=210245129c932dc9e1c2748d9d35524fb95b5042] +CVE: CVE-2021-3696 +Signed-off-by: Hitendra Prajapati + +video/readers/png: Avoid heap OOB R/W inserting huff table items + +In fuzzing we observed crashes where a code would attempt to be inserted +into a huffman table before the start, leading to a set of heap OOB reads +and writes as table entries with negative indices were shifted around and +the new code written in. + +Catch the case where we would underflow the array and bail. + +Fixes: CVE-2021-3696 +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/png.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 36b3f10..3c05951 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -416,6 +416,13 @@ grub_png_insert_huff_item (struct huff_table *ht, int code, int len) + for (i = len; i < ht->max_length; i++) + n += ht->maxval[i]; + ++ if (n > ht->num_values) ++ { ++ grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "png: out of range inserting huffman table item"); ++ return; ++ } ++ + for (i = 0; i < n; i++) + ht->values[ht->num_values - i] = ht->values[ht->num_values - i - 1]; + +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3697.patch b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch new file mode 100644 index 0000000000..be15e7d1f2 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3697.patch @@ -0,0 +1,82 @@ +From 4de9de9d14f4ac27229e45514627534e32cc4406 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Tue, 19 Jul 2022 11:13:02 +0530 +Subject: [PATCH] CVE-2021-3697 + +Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=22a3f97d39f6a10b08ad7fd1cc47c4dcd10413f6] +CVE: CVE-2021-3697 +Signed-off-by: Hitendra Prajapati + +video/readers/jpeg: Block int underflow -> wild pointer write + +Certain 1 px wide images caused a wild pointer write in +grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), +we have the following loop: + +for (; data->r1 < nr1 && (!data->dri || rst); + data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) + +We did not check if vb * width >= hb * nc1. + +On a 64-bit platform, if that turns out to be negative, it will underflow, +be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so +we see data->bitmap_ptr jump, e.g.: + +0x6180_0000_0480 to +0x6181_0000_0498 + ^ + ~--- carry has occurred and this pointer is now far away from + any object. + +On a 32-bit platform, it will decrement the pointer, creating a pointer +that won't crash but will overwrite random data. + +Catch the underflow and error out. + +Fixes: CVE-2021-3697 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper +--- + grub-core/video/readers/jpeg.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c +index 31359a4..545a60b 100644 +--- a/grub-core/video/readers/jpeg.c ++++ b/grub-core/video/readers/jpeg.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -617,6 +618,7 @@ static grub_err_t + grub_jpeg_decode_data (struct grub_jpeg_data *data) + { + unsigned c1, vb, hb, nr1, nc1; ++ unsigned stride_a, stride_b, stride; + int rst = data->dri; + + vb = 8 << data->log_vs; +@@ -624,8 +626,14 @@ grub_jpeg_decode_data (struct grub_jpeg_data *data) + nr1 = (data->image_height + vb - 1) >> (3 + data->log_vs); + nc1 = (data->image_width + hb - 1) >> (3 + data->log_hs); + ++ if (grub_mul(vb, data->image_width, &stride_a) || ++ grub_mul(hb, nc1, &stride_b) || ++ grub_sub(stride_a, stride_b, &stride)) ++ return grub_error (GRUB_ERR_BAD_FILE_TYPE, ++ "jpeg: cannot decode image with these dimensions"); ++ + for (; data->r1 < nr1 && (!data->dri || rst); +- data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) ++ data->r1++, data->bitmap_ptr += stride * 3) + for (c1 = 0; c1 < nc1 && (!data->dri || rst); + c1++, rst--, data->bitmap_ptr += hb * 3) + { +-- +2.25.1 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 9e98d8249d..0b7ca6d3d6 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -95,7 +95,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0044-script-execute-Fix-NULL-dereference-in-grub_script_e.patch \ file://0045-commands-ls-Require-device_name-is-not-NULL-before-p.patch \ file://0046-script-execute-Avoid-crash-when-using-outside-a-func.patch \ - file://CVE-2021-3981.patch\ + file://CVE-2021-3981.patch \ + file://CVE-2021-3695.patch \ + file://CVE-2021-3696.patch \ + file://CVE-2021-3697.patch \ " SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934" SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea" From patchwork Fri Jul 29 15:24:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10783 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7204C19F2B for ; Fri, 29 Jul 2022 15:24:58 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web11.506.1659108291463422767 for ; Fri, 29 Jul 2022 08:24:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=RebGCuuc; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id c139so4919878pfc.2 for ; Fri, 29 Jul 2022 08:24:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=kdKGz5cgbaX9++89bb8NDKKmnYmEq/ujYsQX0G4MuAw=; b=RebGCuucU7Ykk4gxkYAJK/zfafw0Fp8sOjdtNMoZT5FaU7e35a3oU/51n+x9cVz6Uk k9GFaNxJzr0yvr0HdZD60ncZGyihjazT/oqqrT6jde8si1H5Iy+WEIakMevZdXtA5ae/ uv5PlrmiIBfxXMFRWHjZGP0yrEcWEOP9W8GzRpYywluWyO0kucGN5xRBFCQwwf3mZwDl lFxQOsUtP1VEEs3ds6L2Za+9Clsfv6EeJiHXPdvaSYL6HGgLj5hMEWMc3S9PRh4qxgE0 zMlXZfvU2KB/4mmgvMhSTURApsLmTEpi4BbsN2pbd2zlO4U+j8QOy8s00g5U2S6pvb7/ MXRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kdKGz5cgbaX9++89bb8NDKKmnYmEq/ujYsQX0G4MuAw=; b=JWhO4IpyJdySlPSKw1rZng/8l64e84s9WjBFfzLcV7ycYfDPxfwcsoSA31wofHzZM7 ulHxQqzu5yeMPYcZ6F62mUrrWhpIW++Q51T485uyLVapgbkaQYPwZ215scbdb6sPZ7Ij 7Cz6BP+gs5PAYYrsxde764SPyhV4CFEPc/EuCldoYMlzOiYXtmAngYwsOIFi61hPiaxd u+2jtq+gb8fDkGEvA8PLR1ol203njaUvPLPityiiFym04Ups23mTGVPoOfYUaynmL0XZ ocC6EyuUoXFhPA+uZxLNi9/gYKSTMq+ze6vxecZdUN2lNbqQ8iwf4hcqklV91wxKIsrj 5/qA== X-Gm-Message-State: AJIora99BOuW8XYmastBsby6qDFClSAjVCmdAwSb7kqe4UekUszthIzD gvCoPhwJr7A66We4IXowcqscfPZxEqMycdJj X-Google-Smtp-Source: AGRyM1utfzMh+rtznKTDCx/wWQYhCcXBsO+jQRjKqrhUut64S9wVaMAFb+Od6c8Aiu8XGkLEYvhUTw== X-Received: by 2002:a05:6a00:248f:b0:52b:ee89:ec22 with SMTP id c15-20020a056a00248f00b0052bee89ec22mr3979617pfv.43.1659108290394; Fri, 29 Jul 2022 08:24:50 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/7] qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash Date: Fri, 29 Jul 2022 05:24:09 -1000 Message-Id: <7c3043df56b3090138fe56f8c06df5ca08cafd26.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168670 From: Hitendra Prajapati Source: https://github.com/qemu/qemu MR: 119832 Type: Security Fix Disposition: Backport from https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00 Description: CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2022-35414.patch | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 4135619fc6..10b4280b23 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -98,6 +98,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13253_4.patch \ file://CVE-2020-13253_5.patch \ file://CVE-2020-13791.patch \ + file://CVE-2022-35414.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch new file mode 100644 index 0000000000..4196ebcf98 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch @@ -0,0 +1,53 @@ +From 09a07b5b39c87423df9e8f6574c19a14d36beac5 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Wed, 27 Jul 2022 10:34:12 +0530 +Subject: [PATCH] CVE-2022-35414 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] +CVE: CVE-2022-35414 +Signed-off-by: Hitendra Prajapati +--- + exec.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 43c70ffb..2d6add46 100644 +--- a/exec.c ++++ b/exec.c +@@ -685,7 +685,7 @@ static void tcg_iommu_free_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -694,6 +694,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + + for (;;) { +@@ -737,6 +738,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + #endif +-- +2.25.1 + From patchwork Fri Jul 29 15:24:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10785 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B12A9C00144 for ; Fri, 29 Jul 2022 15:24:58 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.507.1659108294609326333 for ; Fri, 29 Jul 2022 08:24:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=Hhc70clI; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id e1so5119238pjl.1 for ; Fri, 29 Jul 2022 08:24:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=YNfk5SOPJMNiSDJYZKEgL7xRQw6HAMfJWaYMKjhOTD8=; b=Hhc70clIpQKpgN820bjQXDa0QDUCZ2Ib69GgjeRTkUkWBWFlxyZRgXVk3bC/v/d7Ql uoVwXj8tZ5Wp7Qj0BjRpHbESix/2Y8j1S3idU7kiDZmV3/ZWQ6uNyGMwiKpEeL/yPDBm y2ZchSVQmaDJyS1Vd1z3MpQlGYm/uzo0xHC9HQkXKarwreEXfPQH/0ffgEKgwax6hdkz BMF2zeAI6uJJkm71gUV3bTjUvSW6CSs/GssqBgibh8dsm22fcfcnQ713/F7mEG1i7tyy CN6LDZPmWfyBF8MuyD9TkAOS4jiSPDkQ4eeomgddO0w5tlVkSdEqPIem49cjSHRu89ab TjEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YNfk5SOPJMNiSDJYZKEgL7xRQw6HAMfJWaYMKjhOTD8=; b=fda07iTewvplFcM9G3QZskfnP84JWNTd1dnOy1gdgYoRLgVuU/hyhohSuvgeQDNk28 j/BVII3rqncaeeUYB2/4VhT+0JpAYnYZOFPS2rvP7c4OxxjxkR/C7GW66XodYvj5orJt +N4tjRQ3jmUqj0gE7Er31BkhjcxwWPBJmc3Myo2q18J6NGGTxXT+7pnXLtWZfifrZIzf TJqu4UWh382WVR12u4vXXRRFx+aRAvmEEfrwaUTjYKovUpWE2Q1qYC8XODuOx5llOAC0 SkaYr3tLH7zpRHRtkewYxDZIeLjOKbQJoljWzxEuXLdw7m+MGUFQNqyN8agRdZolhag/ wr5A== X-Gm-Message-State: ACgBeo3pLN1cP3Atc6/PN8A0N/u5Op/sQ/PF5a0bInSSwpCGxL76wFVK ZbKEMw5O3q7tvIlcTIJU6csGmh99usE+QR02 X-Google-Smtp-Source: AA6agR52UftfnzwnJVi5h270qmfMA9tfkVayaYb1g03InjAA7KGeYpDKfm7aqEakwEEC122QjiZ5cA== X-Received: by 2002:a17:903:2c6:b0:16a:276a:ad81 with SMTP id s6-20020a17090302c600b0016a276aad81mr4609552plk.65.1659108293446; Fri, 29 Jul 2022 08:24:53 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/7] libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By Zero Error Date: Fri, 29 Jul 2022 05:24:10 -1000 Message-Id: <429c2c89b65b8e226d4e0d6f94d43300989c143e.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168671 From: Hitendra Prajapati Source: https://gitlab.com/libtiff/libtiff MR: 119341 Type: Security Fix Disposition: Backport from https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab ChangeID: 6cea4937a34a618567a42cef8c41961ade2f3a07 Description: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 libTiff: DoS from Divide By Zero Error. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- ...022-2056-CVE-2022-2057-CVE-2022-2058.patch | 183 ++++++++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + 2 files changed, 184 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch new file mode 100644 index 0000000000..01e81349a2 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch @@ -0,0 +1,183 @@ +From 8261237113a53cd21029c4a8cbb62c47b4c19523 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Wed, 27 Jul 2022 11:30:18 +0530 +Subject: [PATCH] CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/dd1bcc7abb26094e93636e85520f0d8f81ab0fab] +CVE: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 +Signed-off-by: Hitendra Prajapati +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 8188db5..3dac542 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32 _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index 45a7932..c6f6f93 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -393,6 +393,7 @@ extern double _TIFFUInt64ToDouble(uint64); + extern float _TIFFUInt64ToFloat(uint64); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32 _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c2c2052..79dd0a0 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5141,17 +5141,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32) (crop->corners[i].X1); +- x2 = (uint32) (crop->corners[i].X2); +- y1 = (uint32) (crop->corners[i].Y1); +- y2 = (uint32) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + if (x1 < 1) + crop->regionlist[i].x1 = 0; +@@ -5214,17 +5214,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32)(crop->margins[0]); +- lmargin = (uint32)(crop->margins[1]); +- bmargin = (uint32)(crop->margins[2]); +- rmargin = (uint32)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32)(crop->margins[0] * scale * yres); +- lmargin = (uint32)(crop->margins[1] * scale * xres); +- bmargin = (uint32)(crop->margins[2] * scale * yres); +- rmargin = (uint32)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5254,24 +5254,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5670,13 +5670,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8)); +- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5714,13 +5714,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5729,6 +5729,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { +-- +2.25.1 + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index 75bc20de78..4383f7af8e 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -24,6 +24,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-0909.patch \ file://CVE-2022-0891.patch \ file://CVE-2022-0924.patch \ + file://CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Fri Jul 29 15:24:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10784 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B12DFC3F6B0 for ; Fri, 29 Jul 2022 15:24:58 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web12.533.1659108297989917831 for ; Fri, 29 Jul 2022 08:24:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=ARp4RAES; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id h132so4257536pgc.10 for ; Fri, 29 Jul 2022 08:24:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=9/98zSRHaoVlwZxuQeyiCYG31cyIfSb9uXxpcH1k5cs=; b=ARp4RAESmLH6kOc2TWKINwuK1b+B6lT3WKyXTWN/5qocjYYAswRJfIbCmwYkE8kH4x 12H/6f448X7Lv0yGJUwS51gEWJsS93tfhLQyhFs1W86YfFWlJq8sW4L726x6ouIvaTfK Q0/0q508BkySSUG8JVB/u6gyannuCDiv6/7EhkYnD5RIZFD6ElFh63Jt322dRjq0txzn wTt/l8skofKtrobzzL/TPZhqcETHPFKvxk4cspCroEVVXlAxC6lqeHj1Dh6nGQIm60V8 fk4r3FwmE83qJ1sMByYYZYh20aac0zngr2jiN2m2KTt4PX8FEwdwlgIokFIDl5vDPC9W K7NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9/98zSRHaoVlwZxuQeyiCYG31cyIfSb9uXxpcH1k5cs=; b=7fbMBaWyYtNBzGNyWxBa4hqa+p0E+1GtOFme5OPolf67NhLvaWUuuQY7ioXBL5KctL vkQO9Y+XoIO/jjUQxgIAgAEuO2Wd4gBV0cx9MYukiVHmHWC6A/zwmbJvRM0gOO0Z9qDO ZtHsc52qEf4PTbQOLq2vDIyPjeClootpgMbZp1JOKn1zHcmENuDcMJyxc5NPvXgaY+yF wgf7pl0qohltAVxCFh02/09YVoKNu9rh6mGAHFwGKSBHqo+0RqvGqsTFzwXWlPJv9ruX wtqeCnQi5+j71dKPQ4WzafqdQXI30AO4hXjMvIEMzGogMTD+dbAEUREmOEiIxRmE8XLm TvDA== X-Gm-Message-State: AJIora+sbaoAxl4lBEY51HxrjbVKXfiEBFwzjGBnKLSyDzok3+9XdTuB zHDCCQYNELXJi2f2NLz/DM+8i+iV7U3DuAlb X-Google-Smtp-Source: AGRyM1sjWjDK8gE9QmC3j/hPVZtjjWL6oRETqfzwdB3vJH3HkEa1m0osjE0zcnzWjuoZIP9Q3Ci8XA== X-Received: by 2002:a63:451e:0:b0:40d:c602:4e with SMTP id s30-20020a63451e000000b0040dc602004emr3337725pga.453.1659108296707; Fri, 29 Jul 2022 08:24:56 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id q16-20020a17090311d000b0016be6a554b5sm3889808plh.233.2022.07.29.08.24.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 08:24:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/7] libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections Date: Fri, 29 Jul 2022 05:24:11 -1000 Message-Id: <73d2b640ad665f6ff3c4fbe8f5da4ef0dbb175f2.1659108121.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 29 Jul 2022 15:24:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/168672 From: Hitendra Prajapati Source: http://git.linux-nfs.org/?p=steved/libtirpc.git; MR: 120231 Type: Security Fix Disposition: Backport from http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed ChangeID: 544120a5f10a4717cd2c7291821a012e26b14b7f Description: CVE-2021-46828 libtirpc: DoS vulnerability with lots of connections. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libtirpc/libtirpc/CVE-2021-46828.patch | 155 ++++++++++++++++++ .../libtirpc/libtirpc_1.2.6.bb | 4 +- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch diff --git a/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch new file mode 100644 index 0000000000..c78e7ef4d5 --- /dev/null +++ b/meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch @@ -0,0 +1,155 @@ +From 48309e7cb230fc539c3edab0b3363f8ce973194f Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Thu, 28 Jul 2022 09:11:04 +0530 +Subject: [PATCH] CVE-2021-46828 + +Upstream-Status: Backport [http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed} +CVE: CVE-2021-46828 +Signed-off-by: Hitendra Prajapati +--- + src/svc.c | 17 +++++++++++++- + src/svc_vc.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 77 insertions(+), 2 deletions(-) + +diff --git a/src/svc.c b/src/svc.c +index 6db164b..3a8709f 100644 +--- a/src/svc.c ++++ b/src/svc.c +@@ -57,7 +57,7 @@ + + #define max(a, b) (a > b ? a : b) + +-static SVCXPRT **__svc_xports; ++SVCXPRT **__svc_xports; + int __svc_maxrec; + + /* +@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) + rwlock_unlock (&svc_fd_lock); + } + ++int ++svc_open_fds() ++{ ++ int ix; ++ int nfds = 0; ++ ++ rwlock_rdlock (&svc_fd_lock); ++ for (ix = 0; ix < svc_max_pollfd; ++ix) { ++ if (svc_pollfd[ix].fd != -1) ++ nfds++; ++ } ++ rwlock_unlock (&svc_fd_lock); ++ return (nfds); ++} ++ + /* + * Add a service program to the callout list. + * The dispatch routine will be called when a rpc request for this +diff --git a/src/svc_vc.c b/src/svc_vc.c +index c23cd36..1729963 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -64,6 +64,8 @@ + + + extern rwlock_t svc_fd_lock; ++extern SVCXPRT **__svc_xports; ++extern int svc_open_fds(); + + static SVCXPRT *makefd_xprt(int, u_int, u_int); + static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); +@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); + static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); + static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, + void *in); ++static int __svc_destroy_idle(int timeout); + + struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ + u_int sendsize; +@@ -312,13 +315,14 @@ done: + return (xprt); + } + ++ + /*ARGSUSED*/ + static bool_t + rendezvous_request(xprt, msg) + SVCXPRT *xprt; + struct rpc_msg *msg; + { +- int sock, flags; ++ int sock, flags, nfds, cnt; + struct cf_rendezvous *r; + struct cf_conn *cd; + struct sockaddr_storage addr; +@@ -378,6 +382,16 @@ again: + + gettimeofday(&cd->last_recv_time, NULL); + ++ nfds = svc_open_fds(); ++ if (nfds >= (_rpc_dtablesize() / 5) * 4) { ++ /* destroy idle connections */ ++ cnt = __svc_destroy_idle(15); ++ if (cnt == 0) { ++ /* destroy least active */ ++ __svc_destroy_idle(0); ++ } ++ } ++ + return (FALSE); /* there is never an rpc msg to be processed */ + } + +@@ -819,3 +833,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) + { + return FALSE; + } ++ ++static int ++__svc_destroy_idle(int timeout) ++{ ++ int i, ncleaned = 0; ++ SVCXPRT *xprt, *least_active; ++ struct timeval tv, tdiff, tmax; ++ struct cf_conn *cd; ++ ++ gettimeofday(&tv, NULL); ++ tmax.tv_sec = tmax.tv_usec = 0; ++ least_active = NULL; ++ rwlock_wrlock(&svc_fd_lock); ++ ++ for (i = 0; i <= svc_max_pollfd; i++) { ++ if (svc_pollfd[i].fd == -1) ++ continue; ++ xprt = __svc_xports[i]; ++ if (xprt == NULL || xprt->xp_ops == NULL || ++ xprt->xp_ops->xp_recv != svc_vc_recv) ++ continue; ++ cd = (struct cf_conn *)xprt->xp_p1; ++ if (!cd->nonblock) ++ continue; ++ if (timeout == 0) { ++ timersub(&tv, &cd->last_recv_time, &tdiff); ++ if (timercmp(&tdiff, &tmax, >)) { ++ tmax = tdiff; ++ least_active = xprt; ++ } ++ continue; ++ } ++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { ++ __xprt_unregister_unlocked(xprt); ++ __svc_vc_dodestroy(xprt); ++ ncleaned++; ++ } ++ } ++ if (timeout == 0 && least_active != NULL) { ++ __xprt_unregister_unlocked(least_active); ++ __svc_vc_dodestroy(least_active); ++ ncleaned++; ++ } ++ rwlock_unlock(&svc_fd_lock); ++ return (ncleaned); ++} +-- +2.25.1 + diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb index 10a324c3b6..fe4e30e61f 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.2.6.bb @@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \ PROVIDES = "virtual/librpc" -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2" +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2 \ + file://CVE-2021-46828.patch \ + " UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" UPSTREAM_CHECK_REGEX = "(?P\d+(\.\d+)+)/" SRC_URI[md5sum] = "b25f9cc18bfad50f7c446c77f4ae00bb"