diff options
53 files changed, 2573 insertions, 25 deletions
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 889695eae3..69b6edee5f 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,9 +6,9 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.31" +UNINATIVE_MAXGLIBCVERSION = "2.32" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/" -UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe" -UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990" -UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/" +UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81" +UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36" +UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423" diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh index 4c4b4deb4c..2e0fe94963 100644 --- a/meta/files/toolchain-shar-extract.sh +++ b/meta/files/toolchain-shar-extract.sh @@ -1,13 +1,8 @@ #!/bin/sh -[ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \ - LC_ALL=en_US.UTF-8 \ - TERM=$TERM \ - ICECC_PATH="$ICECC_PATH" \ - http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \ - no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@" -[ -f /etc/environment ] && . /etc/environment -export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'` +export LC_ALL=en_US.UTF-8 +# Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted +PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'` tweakpath () { case ":${PATH}:" in diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py index 0f7b3dcc11..e6b14da89d 100644 --- a/meta/lib/oeqa/core/utils/concurrencytest.py +++ b/meta/lib/oeqa/core/utils/concurrencytest.py @@ -261,7 +261,7 @@ def fork_for_tests(concurrency_num, suite): oe.path.copytree(selftestdir, newselftestdir) for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True) diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py index 785b5dda53..c5c46df6cd 100644 --- a/meta/lib/oeqa/sdkext/testsdk.py +++ b/meta/lib/oeqa/sdkext/testsdk.py @@ -25,11 +25,8 @@ class TestSDKExt(TestSDKBase): subprocesstweak.errors_have_output() - # extensible sdk can be contaminated if native programs are - # in PATH, i.e. use perl-native instead of eSDK one. - paths_to_avoid = [d.getVar('STAGING_DIR'), - d.getVar('BASE_WORKDIR')] - os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid) + # We need the original PATH for testing the eSDK, not with our manipulations + os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH") tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh") if not os.path.exists(tcname): diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 7d3922ce44..d4fea91350 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -166,7 +166,7 @@ class TestImage(OESelftestTestCase): bitbake('core-image-full-cmdline socat') bitbake('-c testimage core-image-full-cmdline') - def test_testimage_virgl_gtk(self): + def disabled_test_testimage_virgl_gtk(self): """ Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk frontend Expected: 1. Check that virgl kernel driver is loaded and 3d acceleration is enabled diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py index 5c4e01b2c3..5b8f9bbd38 100644 --- a/meta/lib/oeqa/selftest/cases/signing.py +++ b/meta/lib/oeqa/selftest/cases/signing.py @@ -44,7 +44,9 @@ class Signing(OESelftestTestCase): origenv = os.environ.copy() for e in os.environ: - if builddir in os.environ[e]: + if builddir + "/" in os.environ[e]: + os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/") + if os.environ[e].endswith(builddir): os.environ[e] = os.environ[e].replace(builddir, newbuilddir) os.chdir(newbuilddir) diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch new file mode 100644 index 0000000000..dec5672657 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch @@ -0,0 +1,60 @@ +From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 15 Jul 2020 16:07:51 +1000 +Subject: [PATCH] bind: Always keep a copy of the message + +this allows it to be available even when dns_message_parse() +returns a error. + +Upstream-Status: Backport +CVE: CVE-2020-8622 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + lib/dns/message.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/lib/dns/message.c b/lib/dns/message.c +index ac637a2..39ed80f 100644 +--- a/lib/dns/message.c ++++ b/lib/dns/message.c +@@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + msg->header_ok = 0; + msg->question_ok = 0; + ++ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) { ++ isc_buffer_usedregion(&origsource, &msg->saved); ++ } else { ++ msg->saved.length = isc_buffer_usedlength(&origsource); ++ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); ++ if (msg->saved.base == NULL) { ++ return (ISC_R_NOMEMORY); ++ } ++ memmove(msg->saved.base, isc_buffer_base(&origsource), ++ msg->saved.length); ++ msg->free_saved = 1; ++ } ++ + isc_buffer_remainingregion(source, &r); + if (r.length < DNS_MESSAGE_HEADERLEN) + return (ISC_R_UNEXPECTEDEND); +@@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, + } + + truncated: +- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) +- isc_buffer_usedregion(&origsource, &msg->saved); +- else { +- msg->saved.length = isc_buffer_usedlength(&origsource); +- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length); +- if (msg->saved.base == NULL) +- return (ISC_R_NOMEMORY); +- memmove(msg->saved.base, isc_buffer_base(&origsource), +- msg->saved.length); +- msg->free_saved = 1; +- } + + if (ret == ISC_R_UNEXPECTEDEND && ignore_tc) + return (DNS_R_RECOVERABLE); +-- +1.9.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch new file mode 100644 index 0000000000..8e5412a89e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch @@ -0,0 +1,402 @@ +From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org> +Date: Tue, 21 Jul 2020 14:42:47 +0200 +Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used + +When pk11_numbits() is passed a user provided input that contains all +zeroes (via crafted DNS message), it would crash with assertion +failure. Fix that by properly handling such input. + +Upstream-Status: Backport +CVE: CVE-2020-8623 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + lib/dns/pkcs11dh_link.c | 15 ++++++- + lib/dns/pkcs11dsa_link.c | 8 +++- + lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++-------- + lib/isc/include/pk11/internal.h | 3 +- + lib/isc/pk11.c | 61 ++++++++++++++++--------- + 5 files changed, 121 insertions(+), 45 deletions(-) + +diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c +index e2b60ea7c5..4cd8e32d60 100644 +--- a/lib/dns/pkcs11dh_link.c ++++ b/lib/dns/pkcs11dh_link.c +@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; + CK_ATTRIBUTE *attr; + int special = 0; ++ unsigned int bits; + isc_result_t result; + + isc_buffer_remainingregion(data, &r); +@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { + pub = r.base; + isc_region_consume(&r, publen); + +- key->key_size = pk11_numbits(prime, plen_); ++ result = pk11_numbits(prime, plen_, &bits); ++ if (result != ISC_R_SUCCESS) { ++ goto cleanup; ++ } ++ key->key_size = bits; + + dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); + if (dh->repr == NULL) +@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dh = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx; +@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dh, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c +index 12d707a112..24d4c149ff 100644 +--- a/lib/dns/pkcs11dsa_link.c ++++ b/lib/dns/pkcs11dsa_link.c +@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + dst_private_t priv; + isc_result_t ret; + int i; ++ unsigned int bits; + pk11_object_t *dsa = NULL; + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; +@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(dsa, CKA_PRIME); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c +index 096c1a8e91..1d10d26564 100644 +--- a/lib/dns/pkcs11rsa_link.c ++++ b/lib/dns/pkcs11rsa_link.c +@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + key->key_alg == DST_ALG_RSASHA256 || + key->key_alg == DST_ALG_RSASHA512); + #endif ++ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS); + + /* + * Reject incorrect RSA key lengths. +@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + for (attr = pk11_attribute_first(rsa); + attr != NULL; + attr = pk11_attribute_next(rsa, attr)) ++ { + switch (attr->type) { + case CKA_MODULUS: + INSIST(keyTemplate[5].type == attr->type); +@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) > maxbits && +- maxbits != 0) ++ unsigned int bits; ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || ++ (bits > maxbits && maxbits != 0)) { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } ++ } + pk11_ctx->object = CK_INVALID_HANDLE; + pk11_ctx->ontoken = false; + PK11_RET(pkcs_C_CreateObject, +@@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + keyTemplate[5].ulValueLen = attr->ulValueLen; + break; + case CKA_PUBLIC_EXPONENT: ++ unsigned int bits; + INSIST(keyTemplate[6].type == attr->type); + keyTemplate[6].pValue = isc_mem_get(dctx->mctx, + attr->ulValueLen); +@@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { + memmove(keyTemplate[6].pValue, attr->pValue, + attr->ulValueLen); + keyTemplate[6].ulValueLen = attr->ulValueLen; +- if (pk11_numbits(attr->pValue, +- attr->ulValueLen) +- > RSA_MAX_PUBEXP_BITS) ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, ++ &bits); ++ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS) ++ { + DST_RET(DST_R_VERIFYFAILURE); ++ } + break; + } + pk11_ctx->object = CK_INVALID_HANDLE; +@@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + CK_BYTE *exponent = NULL, *modulus = NULL; + CK_ATTRIBUTE *attr; + unsigned int length; ++ unsigned int bits; ++ isc_result_t ret = ISC_R_SUCCESS; + + isc_buffer_remainingregion(data, &r); + if (r.length == 0) +@@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + + if (e_bytes == 0) { + if (r.length < 2) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + e_bytes = (*r.base) << 8; + isc_region_consume(&r, 1); +@@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + } + + if (r.length < e_bytes) { +- isc_safe_memwipe(rsa, sizeof(*rsa)); +- isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (DST_R_INVALIDPUBLICKEY); ++ DST_RET(DST_R_INVALIDPUBLICKEY); + } + exponent = r.base; + isc_region_consume(&r, e_bytes); + modulus = r.base; + mod_bytes = r.length; + +- key->key_size = pk11_numbits(modulus, mod_bytes); ++ ret = pk11_numbits(modulus, mod_bytes, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + isc_buffer_forward(data, length); + +@@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { + rsa->repr, + rsa->attrcnt * sizeof(*attr)); + } ++ ret = ISC_R_NOMEMORY; ++ ++ err: + isc_safe_memwipe(rsa, sizeof(*rsa)); + isc_mem_put(key->mctx, rsa, sizeof(*rsa)); +- return (ISC_R_NOMEMORY); ++ return (ret); + } + + static isc_result_t +@@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + pk11_object_t *pubrsa; + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; ++ unsigned int bits; + + if (label == NULL) + return (DST_R_NOENGINE); +@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + return (ISC_R_SUCCESS); + +@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + CK_ATTRIBUTE *attr; + isc_mem_t *mctx = key->mctx; + const char *engine = NULL, *label = NULL; ++ unsigned int bits; + + /* read private key file */ + ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); +@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + dst__privstruct_free(&priv, mctx); + isc_safe_memwipe(&priv, sizeof(priv)); +@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + pk11_context_t *pk11_ctx = NULL; + isc_result_t ret; + unsigned int i; ++ unsigned int bits; + + UNUSED(pin); + +@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, + + attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); + INSIST(attr != NULL); +- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) ++ ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ if (bits > RSA_MAX_PUBEXP_BITS) { + DST_RET(ISC_R_RANGE); ++ } + + attr = pk11_attribute_bytype(rsa, CKA_MODULUS); + INSIST(attr != NULL); +- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); ++ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits); ++ if (ret != ISC_R_SUCCESS) { ++ goto err; ++ } ++ key->key_size = bits; + + pk11_return_session(pk11_ctx); + isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); +diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h +index aa8907ab08..7cc8ec812b 100644 +--- a/lib/isc/include/pk11/internal.h ++++ b/lib/isc/include/pk11/internal.h +@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size); + + CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); + +-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits); + + CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); + +diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c +index 012afd968a..4e4052044b 100644 +--- a/lib/isc/pk11.c ++++ b/lib/isc/pk11.c +@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) { + return (token->slotid); + } + +-unsigned int +-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { ++isc_result_t ++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) { + unsigned int bitcnt, i; + CK_BYTE top; + +- if (bytecnt == 0) +- return (0); ++ if (bytecnt == 0) { ++ *bits = 0; ++ return (ISC_R_SUCCESS); ++ } + bitcnt = bytecnt * 8; + for (i = 0; i < bytecnt; i++) { + top = data[i]; +@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { + bitcnt -= 8; + continue; + } +- if (top & 0x80) +- return (bitcnt); +- if (top & 0x40) +- return (bitcnt - 1); +- if (top & 0x20) +- return (bitcnt - 2); +- if (top & 0x10) +- return (bitcnt - 3); +- if (top & 0x08) +- return (bitcnt - 4); +- if (top & 0x04) +- return (bitcnt - 5); +- if (top & 0x02) +- return (bitcnt - 6); +- if (top & 0x01) +- return (bitcnt - 7); ++ if (top & 0x80) { ++ *bits = bitcnt; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x40) { ++ *bits = bitcnt - 1; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x20) { ++ *bits = bitcnt - 2; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x10) { ++ *bits = bitcnt - 3; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x08) { ++ *bits = bitcnt - 4; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x04) { ++ *bits = bitcnt - 5; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x02) { ++ *bits = bitcnt - 6; ++ return (ISC_R_SUCCESS); ++ } ++ if (top & 0x01) { ++ *bits = bitcnt - 7; ++ return (ISC_R_SUCCESS); ++ } + break; + } +- INSIST(0); +- ISC_UNREACHABLE(); ++ return (ISC_R_RANGE); + } + + CK_ATTRIBUTE * +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch new file mode 100644 index 0000000000..9cffe358bf --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch @@ -0,0 +1,33 @@ +From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 29 Jul 2020 23:36:03 +1000 +Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as + 'zonesub' + +resulting in names outside the specified subdomain having the wrong +restrictions for the given key. + +Upstream-Status: Backport +CVE: CVE-2020-8624 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + bin/named/zoneconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c +index e237bdb..4898447 100644 +--- a/bin/named/zoneconf.c ++++ b/bin/named/zoneconf.c +@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone, + + str = cfg_obj_asstring(matchtype); + CHECK(dns_ssu_mtypefromstring(str, &mtype)); +- if (mtype == dns_ssumatchtype_subdomain) { ++ if (mtype == dns_ssumatchtype_subdomain && ++ strcasecmp(str, "zonesub") == 0) { + usezone = true; + } + +-- +1.9.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb index a77be8678f..d4467b0b48 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.19.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb @@ -18,6 +18,9 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2020-8622.patch \ + file://CVE-2020-8623.patch \ + file://CVE-2020-8624.patch \ " SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329" diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch index 3aad603ada..5cd235f6ac 100644 --- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch +++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch @@ -65,6 +65,35 @@ index 7c1cc3eecb..53cb8bfc59 100644 /* Load the locale data for CATEGORY from the file specified by *NAME. If *NAME is "", use environment variables as specified by POSIX, and --- -2.22.0 - +Index: git/locale/programs/locale.c +=================================================================== +--- git.orig/locale/programs/locale.c ++++ git/locale/programs/locale.c +@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b + ((const struct nameent *) b)->name); + } + ++static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME; + + static int + write_archive_locales (void **all_datap, char *linebuf) +@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap, + int fd, ret = 0; + uint32_t cnt; + +- fd = open64 (ARCHIVE_NAME, O_RDONLY); ++ fd = open64 (_write_archive_locales_path, O_RDONLY); + if (fd < 0) + return 0; + +@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap, + if (cnt) + putchar_unlocked ('\n'); + +- printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n", +- names[cnt].name, linebuf); ++ printf ("locale: %-15.15s archive: %s\n%s\n", ++ names[cnt].name, _write_archive_locales_path, linebuf); + + locrec = (struct locrecent *) (addr + names[cnt].locrec_offset); + diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7d8b665e6b..e993bde2d7 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image module-base setuptools3 -SRCREV ?= "0ae1964fb16a0e92b163f48ceb127a40e8397339" +SRCREV ?= "f4b1c01110bf6cf7691aa6f214cecd89a52d5661" SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch new file mode 100644 index 0000000000..8224346660 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2020-24977.patch @@ -0,0 +1,41 @@ +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' + +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. + +CVE: CVE-2020-24977 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2] + +Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> +--- + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index f6a8e463..c647486f 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; + ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); +-- +2.17.1 + diff --git a/meta/recipes-core/libxml/libxml2_2.9.9.bb b/meta/recipes-core/libxml/libxml2_2.9.9.bb index 1d898ab020..ff496ccfaf 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.9.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.9.bb @@ -23,6 +23,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \ file://Fix-CVE-2019-19956.patch \ file://CVE-2020-7595.patch \ file://CVE-2019-20388.patch \ + file://CVE-2020-24977.patch \ " SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6" diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb new file mode 100644 index 0000000000..94ed57585b --- /dev/null +++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb @@ -0,0 +1,36 @@ +require recipes-core/meta/buildtools-tarball.bb + +DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \ + make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \ + usual version requirements and have ancient compilers." +SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers" +LICENSE = "MIT" + +# Add nativesdk equivalent of build-essentials +TOOLCHAIN_HOST_TASK += "\ + nativesdk-automake \ + nativesdk-autoconf \ + nativesdk-binutils \ + nativesdk-binutils-symlinks \ + nativesdk-cpp \ + nativesdk-cpp-symlinks \ + nativesdk-gcc \ + nativesdk-gcc-symlinks \ + nativesdk-g++ \ + nativesdk-g++-symlinks \ + nativesdk-gettext \ + nativesdk-libatomic \ + nativesdk-libgcc \ + nativesdk-libstdc++ \ + nativesdk-libstdc++-dev \ + nativesdk-libstdc++-staticdev \ + nativesdk-libtool \ + nativesdk-pkgconfig \ + nativesdk-glibc-utils \ + nativesdk-python \ + nativesdk-libxcrypt-dev \ + " + +TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}" + +SDK_TITLE = "Extended Build tools" diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb index 66201514d7..ceb60b0e48 100644 --- a/meta/recipes-core/meta/buildtools-tarball.bb +++ b/meta/recipes-core/meta/buildtools-tarball.bb @@ -73,7 +73,13 @@ create_sdk_files_append () { toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script + mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ + echo '${SDKPATHNATIVE}${libdir} +${SDKPATHNATIVE}${base_libdir} +include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf if [ "${SDKMACHINE}" = "i686" ]; then echo 'export NO32LIBS="0"' >>$script echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb index 5bc11b9daf..cfa41c4ae6 100644 --- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb +++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb @@ -15,12 +15,15 @@ DUMMYPROVIDES_PACKAGES = "\ nativesdk-perl-module-file-find \ nativesdk-perl-module-file-glob \ nativesdk-perl-module-file-path \ + nativesdk-perl-module-file-spec \ nativesdk-perl-module-file-stat \ nativesdk-perl-module-getopt-long \ nativesdk-perl-module-io-file \ + nativesdk-perl-module-overloading \ nativesdk-perl-module-posix \ nativesdk-perl-module-thread-queue \ nativesdk-perl-module-threads \ + nativesdk-perl-module-warnings \ " DUMMYPROVIDES = "\ diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index 349c3e1154..1f2d033a6c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc @@ -51,6 +51,7 @@ SRC_URI = "\ file://CVE-2019-14444.patch \ file://CVE-2019-17450.patch \ file://CVE-2019-17451.patch \ + file://0001-Fix-a-missing-include-of-string.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0001-Fix-a-missing-include-of-string.patch b/meta/recipes-devtools/binutils/binutils/0001-Fix-a-missing-include-of-string.patch new file mode 100644 index 0000000000..9f52ed8938 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-Fix-a-missing-include-of-string.patch @@ -0,0 +1,49 @@ +From 1aaf9d481a7c0e20675df165a4968e255521bea8 Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <trevor.gamblin@windriver.com> +Date: Wed, 28 Apr 2021 09:25:08 -0400 +Subject: [PATCH] Fix a missing include of <string> + +gold/ChangeLog: + +2019-06-07 Martin Liska <mliska@suse.cz> + + * errors.h: Include string. + +Upstream-Status: Backport +(https://github.com/bminor/binutils-gdb/commit/a3972330f) + +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> +--- + gold/ChangeLog | 3 +++ + gold/errors.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/gold/ChangeLog b/gold/ChangeLog +index 458bed793e0..00f804b1bf6 100644 +--- a/gold/ChangeLog ++++ b/gold/ChangeLog +@@ -2,6 +2,9 @@ + + 2.32 Release. + ++2019-06-10 Martin Liska <mliska@suse.cz> ++ ++ * errors.h: Include string. + 2019-01-21 Nick Clifton <nickc@redhat.com> + + * po/uk.po: Updated Ukranian translation. +diff --git a/gold/errors.h b/gold/errors.h +index c26b5586379..ac681e965bb 100644 +--- a/gold/errors.h ++++ b/gold/errors.h +@@ -24,6 +24,7 @@ + #define GOLD_ERRORS_H + + #include <cstdarg> ++#include <string> + + #include "gold-threads.h" + +-- +2.30.2 + diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch new file mode 100644 index 0000000000..408f7d18b7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch @@ -0,0 +1,80 @@ +We need binutils to look at our ld.so.conf file within the SDK to ensure +we search the SDK's libdirs as well as those from the host system. + +We therefore pass in the directory to the code using a define, then add +it to a section we relocate in a similar way to the way we relocate the +gcc internal paths. This ensures that ld works correctly in our buildtools +tarball. + +Standard sysroot relocation doesn't work since we're not in a sysroot, +we want to use both the host system and SDK libs. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +2020/1/17 +Upstream-Status: Inappropriate [OE specific tweak] + +Index: git/ld/Makefile.am +=================================================================== +--- git.orig/ld/Makefile.am ++++ git/ld/Makefile.am +@@ -36,7 +36,8 @@ am__skipyacc = + + ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + WARN_CFLAGS = @WARN_CFLAGS@ + NO_WERROR = @NO_WERROR@ + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) +Index: git/ld/Makefile.in +=================================================================== +--- git.orig/ld/Makefile.in ++++ git/ld/Makefile.in +@@ -546,7 +546,8 @@ am__skiplex = + am__skipyacc = + ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \ + -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \ +- -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ ++ -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \ ++ -DSYSCONFDIR="\"$(sysconfdir)\"" + + AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS) + @ENABLE_PLUGINS_FALSE@PLUGIN_C = +Index: git/ld/emultempl/elf32.em +=================================================================== +--- git.orig/ld/emultempl/elf32.em ++++ git/ld/emultempl/elf32.em +@@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c + + info.path = NULL; + info.len = info.alloc = 0; +- tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", + (const char *) NULL); + if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath)) + { +Index: git/ld/ldmain.c +=================================================================== +--- git.orig/ld/ldmain.c ++++ git/ld/ldmain.c +@@ -68,6 +68,7 @@ char *program_name; + + /* The prefix for system library directories. */ + const char *ld_sysroot; ++char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR; + + /* The canonical representation of ld_sysroot. */ + char *ld_canon_sysroot; +Index: git/ld/ldmain.h +=================================================================== +--- git.orig/ld/ldmain.h ++++ git/ld/ldmain.h +@@ -23,6 +23,7 @@ + + extern char *program_name; + extern const char *ld_sysroot; ++extern char ld_sysconfdir[4096]; + extern char *ld_canon_sysroot; + extern int ld_canon_sysroot_len; + extern FILE *saved_script_handle; diff --git a/meta/recipes-devtools/binutils/binutils_2.32.bb b/meta/recipes-devtools/binutils/binutils_2.32.bb index 89315915c4..ecdab96658 100644 --- a/meta/recipes-devtools/binutils/binutils_2.32.bb +++ b/meta/recipes-devtools/binutils/binutils_2.32.bb @@ -51,5 +51,10 @@ do_install_class-native () { PACKAGE_BEFORE_PN += "libbfd" FILES_libbfd = "${libdir}/libbfd-*.so" +SRC_URI_append_class-nativesdk = "file://nativesdk-relocation.patch" + +USE_ALTERNATIVES_FOR_class-nativesdk = "" +FILES_${PN}_append_class-nativesdk = " ${bindir}" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc index c3c2d0cfee..2a0680aeaa 100644 --- a/meta/recipes-devtools/go/go-1.12.inc +++ b/meta/recipes-devtools/go/go-1.12.inc @@ -19,6 +19,9 @@ SRC_URI += "\ file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \ file://0010-fix-CVE-2019-17596.patch \ file://CVE-2020-15586.patch \ + file://CVE-2020-16845.patch \ + file://0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch \ + file://CVE-2020-24553.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch new file mode 100644 index 0000000000..7c07961c03 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch @@ -0,0 +1,28 @@ +From 8390c478600b852392cb116741b3cb239c94d123 Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick <bradfitz@golang.org> +Date: Wed, 15 Jan 2020 18:08:10 +0000 +Subject: [PATCH] net/http/cgi: rename a test file to be less cute + +My fault (from CL 4245070), sorry. + +Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577 +Reviewed-on: https://go-review.googlesource.com/c/go/+/214920 +Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com> + +Upstream-Status: Backport +[lz: Add this patch for merging the patch for CVE-2020-24553] +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/net/http/cgi/{matryoshka_test.go => integration_test.go} | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename src/net/http/cgi/{matryoshka_test.go => integration_test.go} (100%) + +diff --git a/src/net/http/cgi/matryoshka_test.go b/src/net/http/cgi/integration_test.go +similarity index 100% +rename from src/net/http/cgi/matryoshka_test.go +rename to src/net/http/cgi/integration_test.go +-- +2.17.1 + diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch new file mode 100644 index 0000000000..80f467522f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch @@ -0,0 +1,110 @@ +From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001 +From: Katie Hockman <katie@golang.org> +Date: Tue, 4 Aug 2020 11:45:32 -0400 +Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in + ReadUvarint +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This CL ensures that ReadUvarint consumes only a limited +amount of input (instead of an unbounded amount). + +On some inputs, ReadUvarint could read an arbitrary number +of bytes before deciding to return an overflow error. +After this CL, ReadUvarint returns that same overflow +error sooner, after reading at most MaxVarintLen64 bytes. + +Fix authored by Robert Griesemer and Filippo Valsorda. + +Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, +and Preston Van Loon for reporting this. + +Fixes #40618 +Fixes CVE-2020-16845 + +Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 +Reviewed-by: Filippo Valsorda <valsorda@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 +Run-TryBot: Katie Hockman <katie@golang.org> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Alexander Rakoczy <alex@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go.git] +CVE: CVE-2020-16845 +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + src/encoding/binary/varint.go | 5 +++-- + src/encoding/binary/varint_test.go | 18 ++++++++++++------ + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go +index bcb8ac9a45..38af61075c 100644 +--- a/src/encoding/binary/varint.go ++++ b/src/encoding/binary/varint.go +@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer") + func ReadUvarint(r io.ByteReader) (uint64, error) { + var x uint64 + var s uint +- for i := 0; ; i++ { ++ for i := 0; i < MaxVarintLen64; i++ { + b, err := r.ReadByte() + if err != nil { + return x, err + } + if b < 0x80 { +- if i > 9 || i == 9 && b > 1 { ++ if i == 9 && b > 1 { + return x, overflow + } + return x | uint64(b)<<s, nil +@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) { + x |= uint64(b&0x7f) << s + s += 7 + } ++ return x, overflow + } + + // ReadVarint reads an encoded signed integer from r and returns it as an int64. +diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go +index ca411ecbd6..6ef4c99505 100644 +--- a/src/encoding/binary/varint_test.go ++++ b/src/encoding/binary/varint_test.go +@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) { + } + } + +-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) { ++func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) { + x, n := Uvarint(buf) + if x != 0 || n != n0 { + t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0) + } + +- x, err := ReadUvarint(bytes.NewReader(buf)) +- if x != 0 || err != err0 { +- t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0) ++ r := bytes.NewReader(buf) ++ len := r.Len() ++ x, err := ReadUvarint(r) ++ if x != x0 || err != err0 { ++ t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0) ++ } ++ if read := len - r.Len(); read > MaxVarintLen64 { ++ t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read) + } + } + + func TestOverflow(t *testing.T) { +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow) +- testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow) ++ testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow) ++ testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow + } + + func TestNonCanonicalZero(t *testing.T) { +-- +2.17.0 + diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch new file mode 100644 index 0000000000..18a218bc9a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch @@ -0,0 +1,429 @@ +From eb07103a083237414145a45f029c873d57037e06 Mon Sep 17 00:00:00 2001 +From: Roberto Clapis <roberto@golang.org> +Date: Wed, 26 Aug 2020 08:53:03 +0200 +Subject: [PATCH] [release-branch.go1.15-security] net/http/cgi,net/http/fcgi: + add Content-Type detection + +This CL ensures that responses served via CGI and FastCGI +have a Content-Type header based on the content of the +response if not explicitly set by handlers. + +If the implementers of the handler did not explicitly +specify a Content-Type both CGI implementations would default +to "text/html", potentially causing cross-site scripting. + +Thanks to RedTeam Pentesting GmbH for reporting this. + +Fixes CVE-2020-24553 + +Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217 +Reviewed-by: Russ Cox <rsc@google.com> +(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +Upstream-Status: Backport +CVE: CVE-2020-24553 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/net/http/cgi/child.go | 36 ++++++++++----- + src/net/http/cgi/child_test.go | 69 ++++++++++++++++++++++++++++ + src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++- + src/net/http/fcgi/child.go | 39 ++++++++++++---- + src/net/http/fcgi/fcgi_test.go | 52 +++++++++++++++++++++ + 5 files changed, 227 insertions(+), 22 deletions(-) + +diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go +index 9474175f17..61de6165f6 100644 +--- a/src/net/http/cgi/child.go ++++ b/src/net/http/cgi/child.go +@@ -163,10 +163,12 @@ func Serve(handler http.Handler) error { + } + + type response struct { +- req *http.Request +- header http.Header +- bufw *bufio.Writer +- headerSent bool ++ req *http.Request ++ header http.Header ++ code int ++ wroteHeader bool ++ wroteCGIHeader bool ++ bufw *bufio.Writer + } + + func (r *response) Flush() { +@@ -178,26 +180,38 @@ func (r *response) Header() http.Header { + } + + func (r *response) Write(p []byte) (n int, err error) { +- if !r.headerSent { ++ if !r.wroteHeader { + r.WriteHeader(http.StatusOK) + } ++ if !r.wroteCGIHeader { ++ r.writeCGIHeader(p) ++ } + return r.bufw.Write(p) + } + + func (r *response) WriteHeader(code int) { +- if r.headerSent { ++ if r.wroteHeader { + // Note: explicitly using Stderr, as Stdout is our HTTP output. + fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL) + return + } +- r.headerSent = true +- fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code)) ++ r.wroteHeader = true ++ r.code = code ++} + +- // Set a default Content-Type ++// writeCGIHeader finalizes the header sent to the client and writes it to the output. ++// p is not written by writeHeader, but is the first chunk of the body ++// that will be written. It is sniffed for a Content-Type if none is ++// set explicitly. ++func (r *response) writeCGIHeader(p []byte) { ++ if r.wroteCGIHeader { ++ return ++ } ++ r.wroteCGIHeader = true ++ fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) + if _, hasType := r.header["Content-Type"]; !hasType { +- r.header.Add("Content-Type", "text/html; charset=utf-8") ++ r.header.Set("Content-Type", http.DetectContentType(p)) + } +- + r.header.Write(r.bufw) + r.bufw.WriteString("\r\n") + r.bufw.Flush() +diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go +index 14e0af475f..f6ecb6eb80 100644 +--- a/src/net/http/cgi/child_test.go ++++ b/src/net/http/cgi/child_test.go +@@ -7,6 +7,11 @@ + package cgi + + import ( ++ "bufio" ++ "bytes" ++ "net/http" ++ "net/http/httptest" ++ "strings" + "testing" + ) + +@@ -148,3 +153,67 @@ func TestRequestWithoutRemotePort(t *testing.T) { + t.Errorf("RemoteAddr: got %q; want %q", g, e) + } + } ++ ++type countingWriter int ++ ++func (c *countingWriter) Write(p []byte) (int, error) { ++ *c += countingWriter(len(p)) ++ return len(p), nil ++} ++func (c *countingWriter) WriteString(p string) (int, error) { ++ *c += countingWriter(len(p)) ++ return len(p), nil ++} ++ ++func TestResponse(t *testing.T) { ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ var buf bytes.Buffer ++ resp := response{ ++ req: httptest.NewRequest("GET", "/", nil), ++ header: http.Header{}, ++ bufw: bufio.NewWriter(&buf), ++ } ++ n, err := resp.Write([]byte(tt.body)) ++ if err != nil { ++ t.Errorf("Write: unexpected %v", err) ++ } ++ if want := len(tt.body); n != want { ++ t.Errorf("reported short Write: got %v want %v", n, want) ++ } ++ resp.writeCGIHeader(nil) ++ resp.Flush() ++ if got := resp.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT) ++ } ++ if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) { ++ t.Errorf("body was not correctly written") ++ } ++ }) ++ } ++} +diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go +index 32d59c09a3..295c3b82d4 100644 +--- a/src/net/http/cgi/integration_test.go ++++ b/src/net/http/cgi/integration_test.go +@@ -16,7 +16,9 @@ import ( + "io" + "net/http" + "net/http/httptest" ++ "net/url" + "os" ++ "strings" + "testing" + "time" + ) +@@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) { + } + replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap) + +- if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { ++ if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected { + t.Errorf("got a Content-Type of %q; expected %q", got, expected) + } + if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected { +@@ -152,6 +154,51 @@ func TestChildOnlyHeaders(t *testing.T) { + } + } + ++func TestChildContentType(t *testing.T) { ++ testenv.MustHaveExec(t) ++ ++ h := &Handler{ ++ Path: os.Args[0], ++ Root: "/test.go", ++ Args: []string{"-test.run=TestBeChildCGIProcess"}, ++ } ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ expectedMap := map[string]string{"_body": tt.body} ++ req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body)) ++ replay := runCgiTest(t, h, req, expectedMap) ++ if got := replay.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) ++ } ++ }) ++ } ++} ++ + // golang.org/issue/7198 + func Test500WithNoHeaders(t *testing.T) { want500Test(t, "/immediate-disconnect") } + func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") } +@@ -203,6 +250,10 @@ func TestBeChildCGIProcess(t *testing.T) { + if req.FormValue("no-body") == "1" { + return + } ++ if eb, ok := req.Form["exact-body"]; ok { ++ io.WriteString(rw, eb[0]) ++ return ++ } + if req.FormValue("write-forever") == "1" { + io.Copy(rw, neverEnding('a')) + for { +diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go +index 30a6b2ce2d..a31273b3ec 100644 +--- a/src/net/http/fcgi/child.go ++++ b/src/net/http/fcgi/child.go +@@ -74,10 +74,12 @@ func (r *request) parseParams() { + + // response implements http.ResponseWriter. + type response struct { +- req *request +- header http.Header +- w *bufWriter +- wroteHeader bool ++ req *request ++ header http.Header ++ code int ++ wroteHeader bool ++ wroteCGIHeader bool ++ w *bufWriter + } + + func newResponse(c *child, req *request) *response { +@@ -92,11 +94,14 @@ func (r *response) Header() http.Header { + return r.header + } + +-func (r *response) Write(data []byte) (int, error) { ++func (r *response) Write(p []byte) (n int, err error) { + if !r.wroteHeader { + r.WriteHeader(http.StatusOK) + } +- return r.w.Write(data) ++ if !r.wroteCGIHeader { ++ r.writeCGIHeader(p) ++ } ++ return r.w.Write(p) + } + + func (r *response) WriteHeader(code int) { +@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) { + return + } + r.wroteHeader = true ++ r.code = code + if code == http.StatusNotModified { + // Must not have body. + r.header.Del("Content-Type") + r.header.Del("Content-Length") + r.header.Del("Transfer-Encoding") +- } else if r.header.Get("Content-Type") == "" { +- r.header.Set("Content-Type", "text/html; charset=utf-8") + } +- + if r.header.Get("Date") == "" { + r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat)) + } ++} + +- fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code)) ++// writeCGIHeader finalizes the header sent to the client and writes it to the output. ++// p is not written by writeHeader, but is the first chunk of the body ++// that will be written. It is sniffed for a Content-Type if none is ++// set explicitly. ++func (r *response) writeCGIHeader(p []byte) { ++ if r.wroteCGIHeader { ++ return ++ } ++ r.wroteCGIHeader = true ++ fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code)) ++ if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType { ++ r.header.Set("Content-Type", http.DetectContentType(p)) ++ } + r.header.Write(r.w) + r.w.WriteString("\r\n") ++ r.w.Flush() + } + + func (r *response) Flush() { +@@ -290,6 +307,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) { + httpReq = httpReq.WithContext(envVarCtx) + c.handler.ServeHTTP(r, httpReq) + } ++ // Make sure we serve something even if nothing was written to r ++ r.Write(nil) + r.Close() + c.mu.Lock() + delete(c.requests, req.reqId) +diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go +index e9d2b34023..4a27a12c35 100644 +--- a/src/net/http/fcgi/fcgi_test.go ++++ b/src/net/http/fcgi/fcgi_test.go +@@ -10,6 +10,7 @@ import ( + "io" + "io/ioutil" + "net/http" ++ "strings" + "testing" + ) + +@@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) { + <-done + } + } ++ ++func TestResponseWriterSniffsContentType(t *testing.T) { ++ var tests = []struct { ++ name string ++ body string ++ wantCT string ++ }{ ++ { ++ name: "no body", ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "html", ++ body: "<html><head><title>test page</title></head><body>This is a body</body></html>", ++ wantCT: "text/html; charset=utf-8", ++ }, ++ { ++ name: "text", ++ body: strings.Repeat("gopher", 86), ++ wantCT: "text/plain; charset=utf-8", ++ }, ++ { ++ name: "jpg", ++ body: "\xFF\xD8\xFF" + strings.Repeat("B", 1024), ++ wantCT: "image/jpeg", ++ }, ++ } ++ for _, tt := range tests { ++ t.Run(tt.name, func(t *testing.T) { ++ input := make([]byte, len(streamFullRequestStdin)) ++ copy(input, streamFullRequestStdin) ++ rc := nopWriteCloser{bytes.NewBuffer(input)} ++ done := make(chan bool) ++ var resp *response ++ c := newChild(rc, http.HandlerFunc(func( ++ w http.ResponseWriter, ++ r *http.Request, ++ ) { ++ io.WriteString(w, tt.body) ++ resp = w.(*response) ++ done <- true ++ })) ++ defer c.cleanUp() ++ go c.serve() ++ <-done ++ if got := resp.Header().Get("Content-Type"); got != tt.wantCT { ++ t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT) ++ } ++ }) ++ } ++} +-- +2.17.1 + diff --git a/meta/recipes-devtools/nasm/nasm/0001-BR3392712-pp_tokline-fix-double-free.patch b/meta/recipes-devtools/nasm/nasm/0001-BR3392712-pp_tokline-fix-double-free.patch new file mode 100644 index 0000000000..b2cd3fe24b --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/0001-BR3392712-pp_tokline-fix-double-free.patch @@ -0,0 +1,36 @@ +From 652c58c92d9e8eaf09a0eb125c4fe2d4b6cc3397 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov <gorcunov@gmail.com> +Date: Tue, 15 Sep 2020 15:50:20 +0800 +Subject: [PATCH] BR3392712: pp_tokline: fix double free + +Make sure the data being freed get double +freed after -- the pointers must be zapped +(actually nasm_free and free_tlist support +being called with NULL pointer as an argument). + +Upstream-Status: Backport [https://github.com/netwide-assembler/nasm/commit/8806c3ca007b84accac21dd88b900fb03614ceb7] +CVE: CVE-2020-24978 + +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> +Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> +--- + asm/preproc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/asm/preproc.c b/asm/preproc.c +index 2737ec1..da2c9c9 100644 +--- a/asm/preproc.c ++++ b/asm/preproc.c +@@ -5119,6 +5119,9 @@ static char *pp_getline(void) + free_tlist(m->iline); + nasm_free(m->paramlen); + l->finishes->in_progress = 0; ++ m->params = NULL; ++ m->iline = NULL; ++ m->paramlen = NULL; + } + } + +-- +2.13.3 + diff --git a/meta/recipes-devtools/nasm/nasm_2.14.02.bb b/meta/recipes-devtools/nasm/nasm_2.14.02.bb index bd4ecea8b6..bb2b58f87e 100644 --- a/meta/recipes-devtools/nasm/nasm_2.14.02.bb +++ b/meta/recipes-devtools/nasm/nasm_2.14.02.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://CVE-2018-19755.patch \ file://CVE-2019-14248.patch \ + file://0001-BR3392712-pp_tokline-fix-double-free.patch \ " SRC_URI[md5sum] = "3f489aa48ad2aa1f967dc5e293bbd06f" diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch new file mode 100644 index 0000000000..594510342b --- /dev/null +++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch @@ -0,0 +1,23 @@ +traceback2 adds traceback for python2. Rather than depend on traceback2, we're +python3 only so just use traceback. +This caused breakage in oe-selftest -j which uses testtools on the autobuilder +using buildtools-tarball. + +Upstream-Status: Inappropriate [Our recipe is python3 specific] +(Once py2 is EOL upstream probably could/should take this) +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: testtools-2.3.0/testtools/content.py +=================================================================== +--- testtools-2.3.0.orig/testtools/content.py ++++ testtools-2.3.0/testtools/content.py +@@ -19,8 +19,7 @@ import os + import sys + + from extras import try_import +-# To let setup.py work, make this a conditional import. +-traceback = try_import('traceback2') ++import traceback + + from testtools.compat import ( + _b, diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb index 896ecee65c..a254b90a75 100644 --- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb +++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb @@ -1,2 +1,4 @@ inherit setuptools3 require python-testtools.inc + +SRC_URI += "file://no_traceback2.patch" diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch new file mode 100644 index 0000000000..2820999063 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch @@ -0,0 +1,106 @@ +From ca75fec1ed358f7324272608ca952b2d8226d11a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 19 Jul 2020 02:27:35 -0700 +Subject: [PATCH] bpo-39603: Prevent header injection in http methods + (GH-18485) (GH-21538) + +reject control chars in http method in http.client.putrequest to prevent http header injection +(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) + +Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com> + +Upstream-Status: Backport +CVE: CVE-2020-26116 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + Lib/http/client.py | 15 +++++++++++++ + Lib/test/test_httplib.py | 22 +++++++++++++++++++ + .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++ + 3 files changed, 39 insertions(+) + create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst + +diff --git a/Lib/http/client.py b/Lib/http/client.py +index 09c57af865..04cd8f7d84 100644 +--- a/Lib/http/client.py ++++ b/Lib/http/client.py +@@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]') + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1109,6 +1113,8 @@ class HTTPConnection: + else: + raise CannotSendRequest(self.__state) + ++ self._validate_method(method) ++ + # Save the method for use later in the response phase + self._method = method + +@@ -1199,6 +1205,15 @@ class HTTPConnection: + # ASCII also helps prevent CVE-2019-9740. + return request.encode('ascii') + ++ def _validate_method(self, method): ++ """Validate a method name for putrequest.""" ++ # prevent http header injection ++ match = _contains_disallowed_method_pchar_re.search(method) ++ if match: ++ raise ValueError( ++ f"method can't contain control characters. {method!r} " ++ f"(found at least {match.group()!r})") ++ + def _validate_path(self, url): + """Validate a url for putrequest.""" + # Prevent CVE-2019-9740. +diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py +index 891393ab86..3fa0691d3a 100644 +--- a/Lib/test/test_httplib.py ++++ b/Lib/test/test_httplib.py +@@ -363,6 +363,28 @@ class HeaderTests(TestCase): + self.assertEqual(lines[3], "header: Second: val2") + + ++class HttpMethodTests(TestCase): ++ def test_invalid_method_names(self): ++ methods = ( ++ 'GET\r', ++ 'POST\n', ++ 'PUT\n\r', ++ 'POST\nValue', ++ 'POST\nHOST:abc', ++ 'GET\nrHost:abc\n', ++ 'POST\rRemainder:\r', ++ 'GET\rHOST:\n', ++ '\nPUT' ++ ) ++ ++ for method in methods: ++ with self.assertRaisesRegex( ++ ValueError, "method can't contain control characters"): ++ conn = client.HTTPConnection('example.com') ++ conn.sock = FakeSocket(None) ++ conn.request(method=method, url="/") ++ ++ + class TransferEncodingTest(TestCase): + expected_body = b"It's just a flesh wound" + +diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst +new file mode 100644 +index 0000000000..990affc3ed +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst +@@ -0,0 +1,2 @@ ++Prevent http header injection by rejecting control characters in ++http.client.putrequest(...). +-- +2.17.1 + diff --git a/meta/recipes-devtools/python/python3_3.7.8.bb b/meta/recipes-devtools/python/python3_3.7.8.bb index b18b3cd47d..cd4bee5a88 100644 --- a/meta/recipes-devtools/python/python3_3.7.8.bb +++ b/meta/recipes-devtools/python/python3_3.7.8.bb @@ -30,6 +30,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_locale.py-correct-the-test-output-format.patch \ file://0017-setup.py-do-not-report-missing-dependencies-for-disa.patch \ file://CVE-2020-14422.patch \ + file://CVE-2020-26116.patch \ " SRC_URI_append_class-native = " \ diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5cdba1f02c..cbade92ac9 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -39,6 +39,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-11869.patch \ file://CVE-2020-13765.patch \ file://CVE-2020-10702.patch \ + file://CVE-2020-16092.patch \ + file://CVE-2020-10756.patch \ + file://CVE-2020-15863.patch \ + file://CVE-2020-14364.patch \ + file://CVE-2020-12829.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch new file mode 100644 index 0000000000..306aef061b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch @@ -0,0 +1,40 @@ +From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001 +From: Ralf Haferkamp <rhafer@suse.com> +Date: Fri, 3 Jul 2020 14:51:16 +0200 +Subject: [PATCH] Drop bogus IPv6 messages + +Drop IPv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). They're invalid an could +lead to data leakage in icmp6_send_echoreply(). + +CVE: CVE-2020-10756 +Upstream-Status: Backport +https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 + +[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context] +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + slirp/src/ip6_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index d9d2b7e9..0f2b1785 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829.patch new file mode 100644 index 0000000000..46e494dec0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829.patch @@ -0,0 +1,267 @@ +From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Thu, 21 May 2020 21:39:44 +0200 +Subject: [PATCH] sm501: Replace hand written implementation with pixman +where possible + +Besides being faster this should also prevent malicious guests to +abuse 2D engine to overwrite data or cause a crash. + +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: +58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-12829 +[https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/display/sm501.c | 205 ++++++++++++++++++++++++++------------------- + 1 file changed, 118 insertions(+), 87 deletions(-) + +diff --git a/hw/display/sm501.c b/hw/display/sm501.c +index 5918f59..b52c7e8 100644 +--- a/hw/display/sm501.c ++++ b/hw/display/sm501.c +@@ -702,12 +702,12 @@ static void sm501_2d_operation(SM501State *s) + /* obtain operation parameters */ + int operation = (s->twoD_control >> 16) & 0x1f; + int rtl = s->twoD_control & 0x8000000; +- int src_x = (s->twoD_source >> 16) & 0x01FFF; +- int src_y = s->twoD_source & 0xFFFF; +- int dst_x = (s->twoD_destination >> 16) & 0x01FFF; +- int dst_y = s->twoD_destination & 0xFFFF; +- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF; +- int operation_height = s->twoD_dimension & 0xFFFF; ++ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF; ++ unsigned int src_y = s->twoD_source & 0xFFFF; ++ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF; ++ unsigned int dst_y = s->twoD_destination & 0xFFFF; ++ unsigned int operation_width = (s->twoD_dimension >> 16) & 0x1FFF; ++ unsigned int operation_height = s->twoD_dimension & 0xFFFF; + uint32_t color = s->twoD_foreground; + int format_flags = (s->twoD_stretch >> 20) & 0x3; + int addressing = (s->twoD_stretch >> 16) & 0xF; +@@ -719,10 +719,8 @@ static void sm501_2d_operation(SM501State *s) + uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; + + /* get frame buffer info */ +- uint8_t *src = s->local_mem + src_base; +- uint8_t *dst = s->local_mem + dst_base; +- int src_width = s->twoD_pitch & 0x1FFF; +- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF; ++ unsigned int src_width = s->twoD_pitch & 0x1FFF; ++ unsigned int dst_width = (s->twoD_pitch >> 16) & 0x1FFF; + int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; + int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); + +@@ -731,95 +729,128 @@ static void sm501_2d_operation(SM501State *s) + abort(); + } + +- if (rop_mode == 0) { +- if (rop != 0xcc) { +- /* Anything other than plain copies are not supported */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not " +- "supported.\n", rop); +- } +- } else { +- if (rop2_source_is_pattern && rop != 0x5) { +- /* For pattern source, we support only inverse dest */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and " +- "rop %x is not supported.\n", rop); +- } else { +- if (rop != 0x5 && rop != 0xc) { +- /* Anything other than plain copies or inverse dest is not +- * supported */ +- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not " +- "supported.\n", rop); +- } +- } +- } +- + if ((s->twoD_source_base & 0x08000000) || + (s->twoD_destination_base & 0x08000000)) { + printf("%s: only local memory is supported.\n", __func__); + abort(); + } + +- switch (operation) { +- case 0x00: /* copy area */ +-#define COPY_AREA(_bpp, _pixel_type, rtl) { \ +- int y, x, index_d, index_s; \ +- for (y = 0; y < operation_height; y++) { \ +- for (x = 0; x < operation_width; x++) { \ +- _pixel_type val; \ +- \ +- if (rtl) { \ +- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \ +- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \ +- } else { \ +- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \ +- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ +- } \ +- if (rop_mode == 1 && rop == 5) { \ +- /* Invert dest */ \ +- val = ~*(_pixel_type *)&dst[index_d]; \ +- } else { \ +- val = *(_pixel_type *)&src[index_s]; \ +- } \ +- *(_pixel_type *)&dst[index_d] = val; \ +- } \ +- } \ ++ if (!dst_width) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n"); ++ return; + } +- switch (format_flags) { +- case 0: +- COPY_AREA(1, uint8_t, rtl); +- break; +- case 1: +- COPY_AREA(2, uint16_t, rtl); +- break; +- case 2: +- COPY_AREA(4, uint32_t, rtl); +- break; +- } +- break; + +- case 0x01: /* fill rectangle */ +-#define FILL_RECT(_bpp, _pixel_type) { \ +- int y, x; \ +- for (y = 0; y < operation_height; y++) { \ +- for (x = 0; x < operation_width; x++) { \ +- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ +- *(_pixel_type *)&dst[index] = (_pixel_type)color; \ +- } \ +- } \ ++ if (!operation_width || !operation_height) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n"); ++ return; + } + +- switch (format_flags) { +- case 0: +- FILL_RECT(1, uint8_t); +- break; +- case 1: +- color = cpu_to_le16(color); +- FILL_RECT(2, uint16_t); +- break; +- case 2: ++ if (rtl) { ++ dst_x -= operation_width - 1; ++ dst_y -= operation_height - 1; ++ } ++ ++ if (dst_base >= get_local_mem_size(s) || dst_base + ++ (dst_x + operation_width + (dst_y + operation_height) * (dst_width + operation_width)) * ++ (1 << format_flags) >= get_local_mem_size(s)) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n"); ++ return; ++ } ++ ++ switch (operation) { ++ case 0: /* BitBlt */ ++ if (!src_width) { ++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n"); ++ return; ++ } ++ ++ if (rtl) { ++ src_x -= operation_width - 1; ++ src_y -= operation_height - 1; ++ } ++ ++ if (src_base >= get_local_mem_size(s) || src_base + ++ (src_x + operation_width + (src_y + operation_height) * (src_width + operation_width)) * ++ (1 << format_flags) >= get_local_mem_size(s)) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "sm501: 2D op src is outside vram.\n"); ++ return; ++ } ++ ++ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) { ++ /* Invert dest, is there a way to do this with pixman? */ ++ unsigned int x, y, i; ++ uint8_t *d = s->local_mem + dst_base; ++ ++ for (y = 0; y < operation_height; y++) { ++ i = (dst_x + (dst_y + y) * dst_width) * (1 << format_flags); ++ for (x = 0; x < operation_width; x++, i += (1 << format_flags)) { ++ switch (format_flags) { ++ case 0: ++ d[i] = ~d[i]; ++ break; ++ case 1: ++ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i]; ++ break; ++ case 2: ++ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i]; ++ break; ++ } ++ } ++ } ++ } else { ++ /* Do copy src for unimplemented ops, better than unpainted area */ ++ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) || ++ (!rop_mode && rop != 0xcc)) { ++ qemu_log_mask(LOG_UNIMP, ++ "sm501: rop%d op %x%s not implemented\n", ++ (rop_mode ? 2 : 3), rop, ++ (rop2_source_is_pattern ? ++ " with pattern source" : "")); ++ } ++ /* Check for overlaps, this could be made more exact */ ++ uint32_t sb, se, db, de; ++ sb = src_base + src_x + src_y * (operation_width + src_width); ++ se = sb + operation_width + operation_height * (operation_width + src_width); ++ db = dst_base + dst_x + dst_y * (operation_width + dst_width); ++ de = db + operation_width + operation_height * (operation_width + dst_width); ++ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) { ++ /* regions may overlap: copy via temporary */ ++ int llb = operation_width * (1 << format_flags); ++ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t)); ++ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) * ++ operation_height); ++ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp, ++ src_width * (1 << format_flags) / sizeof(uint32_t), ++ tmp_stride, 8 * (1 << format_flags), 8 * (1 << format_flags), ++ src_x, src_y, 0, 0, operation_width, operation_height); ++ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base], ++ tmp_stride, ++ dst_width * (1 << format_flags) / sizeof(uint32_t), ++ 8 * (1 << format_flags), 8 * (1 << format_flags), ++ 0, 0, dst_x, dst_y, operation_width, operation_height); ++ g_free(tmp); ++ } else { ++ pixman_blt((uint32_t *)&s->local_mem[src_base], ++ (uint32_t *)&s->local_mem[dst_base], ++ src_width * (1 << format_flags) / sizeof(uint32_t), ++ dst_width * (1 << format_flags) / sizeof(uint32_t), ++ 8 * (1 << format_flags), 8 * (1 << format_flags), ++ src_x, src_y, dst_x, dst_y, operation_width, operation_height); ++ } ++ } ++ break; ++ ++ case 1: /* Rectangle Fill */ ++ if (format_flags == 2) { + color = cpu_to_le32(color); +- FILL_RECT(4, uint32_t); +- break; ++ } else if (format_flags == 1) { ++ color = cpu_to_le16(color); + } ++ ++ pixman_fill((uint32_t *)&s->local_mem[dst_base], ++ dst_width * (1 << format_flags) / sizeof(uint32_t), ++ 8 * (1 << format_flags), dst_x, dst_y, operation_width, operation_height, color); + break; + + default: +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch new file mode 100644 index 0000000000..a109ac08d6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch @@ -0,0 +1,93 @@ +From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 25 Aug 2020 07:36:36 +0200 +Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) + +Store calculated setup_len in a local variable, verify it, and only +write it to the struct (USBDevice->setup_len) in case it passed the +sanity checks. + +This prevents other code (do_token_{in,out} functions specifically) +from working with invalid USBDevice->setup_len values and overrunning +the USBDevice->setup_buf[] buffer. + +Fixes: CVE-2020-14364 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Gonglei <arei.gonglei@huawei.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-id: 20200825053636.29648-1-kraxel@redhat.com + +Upstream-Status: Backport +CVE: CVE-2020-14364 +[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/usb/core.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128..5234dcc 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) + static void do_token_setup(USBDevice *s, USBPacket *p) + { + int request, value, index; ++ unsigned int setup_len; + + if (p->iov.size != 8) { + p->status = USB_RET_STALL; +@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; + p->actual_length = 0; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; +@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) + static void do_parameter(USBDevice *s, USBPacket *p) + { + int i, request, value, index; ++ unsigned int setup_len; + + for (i = 0; i < 8; i++) { + s->setup_buf[i] = p->parameter >> (i*8); + } + + s->setup_state = SETUP_STATE_PARAM; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + s->setup_index = 0; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; + index = (s->setup_buf[5] << 8) | s->setup_buf[4]; + +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + if (p->pid == USB_TOKEN_OUT) { + usb_packet_copy(p, s->data_buf, s->setup_len); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 0000000000..9927584d11 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch @@ -0,0 +1,64 @@ +From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Fri, 10 Jul 2020 11:19:41 +0200 +Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() + +A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It +occurs while sending an Ethernet frame due to missing break statements +and improper checking of the buffer size. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +CVE: CVE-2020-15863 +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555] +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/net/xgmac.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c +index f49df95..f496f7e 100644 +--- a/hw/net/xgmac.c ++++ b/hw/net/xgmac.c +@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s) + } + len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); + ++ /* ++ * FIXME: these cases of malformed tx descriptors (bad sizes) ++ * should probably be reported back to the guest somehow ++ * rather than simply silently stopping processing, but we ++ * don't know what the hardware does in this situation. ++ * This will only happen for buggy guests anyway. ++ */ + if ((bd.buffer1_size & 0xfff) > 2048) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 1 len on send > 2048 (0x%x)\n", + __func__, bd.buffer1_size & 0xfff); ++ break; + } + if ((bd.buffer2_size & 0xfff) != 0) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 2 len on send != 0 (0x%x)\n", + __func__, bd.buffer2_size & 0xfff); ++ break; + } +- if (len >= sizeof(frame)) { ++ if (frame_size + len >= sizeof(frame)) { + DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " +- "buffer\n" , __func__, len, sizeof(frame)); ++ "buffer\n" , __func__, frame_size + len, sizeof(frame)); + DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", + __func__, bd.buffer1_size, bd.buffer2_size); ++ break; + } + + cpu_physical_memory_read(bd.buffer1_addr, ptr, len); +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch new file mode 100644 index 0000000000..8ce01e26ad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch @@ -0,0 +1,49 @@ +From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Sat, 1 Aug 2020 18:42:38 +0200 +Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in + net_tx_pkt_add_raw_fragment() + +An assertion failure issue was found in the code that processes network +packets +while adding data fragments into the packet context. It could be abused +by a +malicious guest to abort the QEMU process on the host. This patch +replaces the +affected assert() with a conditional statement, returning false if the +current +data fragment exceeds max_raw_frags. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2020-16092 +[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + hw/net/net_tx_pkt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 162f802..54d4c3b 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, + hwaddr mapped_len = 0; + struct iovec *ventry; + assert(pkt); +- assert(pkt->max_raw_frags > pkt->raw_frags); ++ ++ if (pkt->raw_frags >= pkt->max_raw_frags) { ++ return false; ++ } + + if (!len) { + return true; +-- +2.17.1 + diff --git a/meta/recipes-extended/procps/procps/0001-top-avoid-a-potential-SEGV-during-program-terminatio.patch b/meta/recipes-extended/procps/procps/0001-top-avoid-a-potential-SEGV-during-program-terminatio.patch new file mode 100644 index 0000000000..4f7a01e41b --- /dev/null +++ b/meta/recipes-extended/procps/procps/0001-top-avoid-a-potential-SEGV-during-program-terminatio.patch @@ -0,0 +1,61 @@ +From d37f85c269fbb6e905802ffdbce0ba4173ba21a9 Mon Sep 17 00:00:00 2001 +From: Jim Warner <james.warner@comcast.net> +Date: Tue, 6 Aug 2019 00:00:00 -0500 +Subject: [PATCH] top: avoid a potential SEGV during program termination + +The backtrace shown in the bug report referenced below +illustrates a 'normal' program termination interrupted +with some signal, ultimately then causing a top crash. + +So this commit just rearranges a little code such that +all signals will be blocked during that rather lengthy +end of program processing regardless of how initiated. + +[ in that report, ignore the assertion regarding the ] +[ '-n' option. it obviously was not '1' since do_key ] +[ had been called, which otherwise wouldn't be true. ] + +[ and when it is '1' the -d option would be ignored. ] + +Reference(s): +https://bugzilla.redhat.com/show_bug.cgi?id=1737552 + +Signed-off-by: Jim Warner <james.warner@comcast.net> +Upstream-Status: Backport[https://gitlab.com/procps-ng/procps.git] +Signed-off-by: Shaohua Zhan <shaohua.zhan@windriver.com> +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + top/top.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/top/top.c b/top/top.c +index b01907a..73598e2 100644 +--- a/top/top.c ++++ b/top/top.c +@@ -404,6 +404,11 @@ static void at_eoj (void) { + * The real program end */ + static void bye_bye (const char *str) NORETURN; + static void bye_bye (const char *str) { ++ sigset_t ss; ++ ++// POSIX.1-2004 async-signal-safe: sigfillset, sigprocmask ++ sigfillset(&ss); ++ sigprocmask(SIG_BLOCK, &ss, NULL); + at_eoj(); // restore tty in preparation for exit + #ifdef ATEOJ_RPTSTD + { proc_t *p; +@@ -595,12 +600,6 @@ static void sig_abexit (int sig) { + * SIGUSR1 and SIGUSR2 */ + static void sig_endpgm (int dont_care_sig) NORETURN; + static void sig_endpgm (int dont_care_sig) { +- sigset_t ss; +- +-// POSIX.1-2004 async-signal-safe: sigfillset, sigprocmask +- sigfillset(&ss); +- sigprocmask(SIG_BLOCK, &ss, NULL); +- Frames_signal = BREAK_sig; + bye_bye(NULL); + (void)dont_care_sig; + } // end: sig_endpgm +-- +GitLab diff --git a/meta/recipes-extended/procps/procps/0001-top-restore-one-line-of-code-to-sig_endpgm-function.patch b/meta/recipes-extended/procps/procps/0001-top-restore-one-line-of-code-to-sig_endpgm-function.patch new file mode 100644 index 0000000000..9fe11b898d --- /dev/null +++ b/meta/recipes-extended/procps/procps/0001-top-restore-one-line-of-code-to-sig_endpgm-function.patch @@ -0,0 +1,38 @@ +From ed34b1228ed08fbfdbf6f1a61ca7ca62448ccd86 Mon Sep 17 00:00:00 2001 +From: Jim Warner <james.warner@comcast.net> +Date: Wed, 22 Jan 2020 00:00:00 -0600 +Subject: [PATCH] top: restore one line of code to sig_endpgm() function + +When that potential abend at program end was addressed +in the patch shown below, one line of code was removed +in error. That line served to suppress some end-of-job +reports should ATEOJ_RPTSTD or ATEOJ_RPTHSH be active. + +So, this patch restores that previously deleted logic. + +Reference(s): +. potential SEGV fix, master branch +commit d37f85c269fbb6e905802ffdbce0ba4173ba21a9 + +Signed-off-by: Jim Warner <james.warner@comcast.net> +Upstream-Status: Backport[https://gitlab.com/procps-ng/procps.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + top/top.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/top/top.c b/top/top.c +index 8e8c7d9..63ec5fe 100644 +--- a/top/top.c ++++ b/top/top.c +@@ -604,6 +604,7 @@ static void sig_abexit (int sig) { + * SIGUSR1 and SIGUSR2 */ + static void sig_endpgm (int dont_care_sig) NORETURN; + static void sig_endpgm (int dont_care_sig) { ++ Frames_signal = BREAK_sig; + bye_bye(NULL); + (void)dont_care_sig; + } // end: sig_endpgm +-- +2.17.0 + diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index f240e54fd8..bf7ee63775 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -15,6 +15,8 @@ inherit autotools gettext pkgconfig update-alternatives SRC_URI = "http://downloads.sourceforge.net/project/procps-ng/Production/procps-ng-${PV}.tar.xz \ file://sysctl.conf \ file://0001-Fix-out-of-tree-builds.patch \ + file://0001-top-avoid-a-potential-SEGV-during-program-terminatio.patch \ + file://0001-top-restore-one-line-of-code-to-sig_endpgm-function.patch \ " SRC_URI[md5sum] = "2b0717a7cb474b3d6dfdeedfbad2eccc" diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch new file mode 100644 index 0000000000..20a604869b --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch @@ -0,0 +1,37 @@ +From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Sat, 25 Jul 2020 19:33:50 +0200 +Subject: [PATCH] fix for ZDI-11426 + +Avoid leaking un-initalized memory to clients by zeroing the +whole pixmap on initial allocation. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +Upstream-Status: Backport +CVE: CVE-2020-14347 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + dix/pixmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/pixmap.c b/dix/pixmap.c +index 1186d7dbb..5a0146bbb 100644 +--- a/dix/pixmap.c ++++ b/dix/pixmap.c +@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize) + if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize) + return NullPixmap; + +- pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize); ++ pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize); + if (!pPixmap) + return NullPixmap; + +-- +2.17.1 + diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb index 3de6d22e57..f0f15a2584 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-test-xtest-Initialize-array-with-braces.patch \ file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \ file://sdksyms-no-build-path.patch \ + file://CVE-2020-14347.patch \ " SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130" SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d" diff --git a/meta/recipes-support/attr/acl_2.2.52.bb b/meta/recipes-support/attr/acl_2.2.52.bb index 6bc77d868d..31ec64a43d 100644 --- a/meta/recipes-support/attr/acl_2.2.52.bb +++ b/meta/recipes-support/attr/acl_2.2.52.bb @@ -25,6 +25,9 @@ SRC_URI[sha256sum] = "179074bb0580c06c4b4137be4c5a92a701583277967acdb5546043c787 require ea-acl.inc +# Has issues with newer versions of make +PARALLEL_MAKEINST = "" + # avoid RPATH hardcode to staging dir do_configure_append() { sed -i ${S}/config.status -e s,^\\\(hardcode_into_libs=\\\).*$,\\1\'no\', diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb index fc88bef830..c3da66a0c7 100644 --- a/meta/recipes-support/attr/attr_2.4.47.bb +++ b/meta/recipes-support/attr/attr_2.4.47.bb @@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \ SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7" SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859" +# Has issues with newer versions of make +PARALLEL_MAKEINST = "" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/curl/curl/CVE-2020-8169.patch b/meta/recipes-support/curl/curl/CVE-2020-8169.patch new file mode 100644 index 0000000000..476d86af6e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8169.patch @@ -0,0 +1,141 @@ +From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 14 May 2020 14:37:12 +0200 +Subject: [PATCH] url: make the updated credentials URL-encoded in the URL + +Found-by: Gregory Jefferis +Reported-by: Jeroen Ooms +Added test 1168 to verify. Bug spotted when doing a redirect. +Bug: https://github.com/jeroen/curl/issues/224 +Closes #5400 + +Upstream-Status: Backport +https://github.com/curl/curl/commit/600a8cded447cd + +CVE: CVE-2020-8169 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + lib/url.c | 6 ++-- + tests/data/Makefile.inc | 1 + + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 83 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1168 + +Index: curl-7.69.1/lib/url.c +=================================================================== +--- curl-7.69.1.orig/lib/url.c ++++ curl-7.69.1/lib/url.c +@@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu + + /* for updated strings, we update them in the URL */ + if(user_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } + if(passwd_changed) { +- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); ++ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, ++ CURLU_URLENCODE); + if(uc) + return Curl_uc_to_curlcode(uc); + } +Index: curl-7.69.1/tests/data/Makefile.inc +=================================================================== +--- curl-7.69.1.orig/tests/data/Makefile.inc ++++ curl-7.69.1/tests/data/Makefile.inc +@@ -129,7 +129,7 @@ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ + test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ +-test1160 test1161 test1162 test1163 test1164 test1165 \ ++test1160 test1161 test1162 test1163 test1164 test1165 test1168 \ + test1170 test1171 test1172 test1173 test1174 \ + \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +Index: curl-7.69.1/tests/data/test1168 +=================================================================== +--- /dev/null ++++ curl-7.69.1/tests/data/test1168 +@@ -0,0 +1,78 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++followlocation ++</keywords> ++</info> ++# Server-side ++<reply> ++<data> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++This server reply is for testing a simple Location: following ++ ++</data> ++<data2> ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++</data2> ++<datacheck> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Location: /data/11680002.txt ++Connection: close ++ ++HTTP/1.1 200 Followed here fine swsclose ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 52 ++ ++If this is received, the location following worked ++ ++</datacheck> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++HTTP redirect with credentials using # in user and password ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<strip> ++^User-Agent:.* ++</strip> ++<protocol> ++GET /want/1168 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++GET /data/11680002.txt HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== ++Accept: */* ++ ++</protocol> ++</verify> ++</testcase> diff --git a/meta/recipes-support/curl/curl/CVE-2020-8177.patch b/meta/recipes-support/curl/curl/CVE-2020-8177.patch new file mode 100644 index 0000000000..81ec59848c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2020-8177.patch @@ -0,0 +1,67 @@ +From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Sun, 31 May 2020 23:09:59 +0200 +Subject: [PATCH] tool_getparam: -i is not OK if -J is used + +Reported-by: sn on hackerone +Bug: https://curl.haxx.se/docs/CVE-2020-8177.html + +Upstream-Status: Backport +CVE:CVE-2020-8177 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/tool_cb_hdr.c | 22 ++++------------------ + src/tool_getparam.c | 5 +++++ + 2 files changed, 9 insertions(+), 18 deletions(-) + +Index: curl-7.69.1/src/tool_cb_hdr.c +=================================================================== +--- curl-7.69.1.orig/src/tool_cb_hdr.c ++++ curl-7.69.1/src/tool_cb_hdr.c +@@ -134,25 +134,11 @@ + filename = parse_filename(p, len); + if(filename) { + if(outs->stream) { +- int rc; +- /* already opened and possibly written to */ +- if(outs->fopened) +- fclose(outs->stream); +- outs->stream = NULL; ++ /* indication of problem, get out! */ ++ free(filename); ++ return failure; ++ } + +- /* rename the initial file name to the new file name */ +- rc = rename(outs->filename, filename); +- if(rc != 0) { +- warnf(outs->config->global, "Failed to rename %s -> %s: %s\n", +- outs->filename, filename, strerror(errno)); +- } +- if(outs->alloc_filename) +- Curl_safefree(outs->filename); +- if(rc != 0) { +- free(filename); +- return failure; +- } +- } + outs->is_cd_filename = TRUE; + outs->s_isreg = TRUE; + outs->fopened = FALSE; +Index: curl-7.69.1/src/tool_getparam.c +=================================================================== +--- curl-7.69.1.orig/src/tool_getparam.c ++++ curl-7.69.1/src/tool_getparam.c +@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char * + } + break; + case 'i': ++ if(config->content_disposition) { ++ warnf(global, ++ "--include and --remote-header-name cannot be combined.\n"); ++ return PARAM_BAD_USE; ++ } + config->show_headers = toggle; /* show the headers as well in the + general output stream */ + break; diff --git a/meta/recipes-support/curl/curl_7.66.0.bb b/meta/recipes-support/curl/curl_7.66.0.bb index a54e0536e9..506ae0eade 100644 --- a/meta/recipes-support/curl/curl_7.66.0.bb +++ b/meta/recipes-support/curl/curl_7.66.0.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=be5d9e1419c4363f4b32037a2d3b7ffa" SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ file://CVE-2019-15601.patch \ + file://CVE-2020-8169.patch \ + file://CVE-2020-8177.patch \ " SRC_URI[md5sum] = "c238aa394e3aa47ca4fcb0491774149f" diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch new file mode 100644 index 0000000000..1702325e66 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch @@ -0,0 +1,117 @@ +From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno <ueno@gnu.org> +Date: Sat, 22 Aug 2020 17:19:39 +0200 +Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is + incomplete + +If the initial handshake is incomplete and the server sends a +no_renegotiation alert, the client should treat it as a fatal error +even if its level is warning. Otherwise the same handshake +state (e.g., DHE parameters) are reused in the next gnutls_handshake +call, if it is called in the loop idiom: + + do { + ret = gnutls_handshake(session); + } while (ret < 0 && gnutls_error_is_fatal(ret) == 0); + +Signed-off-by: Daiki Ueno <ueno@gnu.org> +CVE: CVE-2020-24659 +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git] +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + lib/gnutls_int.h | 1 + + lib/handshake.c | 48 +++++++++++++----- + 2 files changed, 36 insertions(+), 13 deletions(-) + +diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h +index bb6c19713..31cec5c0c 100644 +--- a/lib/gnutls_int.h ++++ b/lib/gnutls_int.h +@@ -1370,6 +1370,7 @@ typedef struct { + #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */ + #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */ + #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */ ++#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */ + + /* The hsk_flags are for use within the ongoing handshake; + * they are reset to zero prior to handshake start by gnutls_handshake. */ +diff --git a/lib/handshake.c b/lib/handshake.c +index b40f84b3d..ce2d160e2 100644 +--- a/lib/handshake.c ++++ b/lib/handshake.c +@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session, + if (ret < 0) + return gnutls_assert_val(ret); + ++ session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED; ++ + return 0; + } + +@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session) + return 0; + } + ++/* This function checks whether the error code should be treated fatal ++ * or not, and also does the necessary state transition. In ++ * particular, in the case of a rehandshake abort it resets the ++ * handshake's internal state. ++ */ + inline static int + _gnutls_abort_handshake(gnutls_session_t session, int ret) + { +- if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) && +- (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION)) +- || ret == GNUTLS_E_GOT_APPLICATION_DATA) +- return 0; ++ switch (ret) { ++ case GNUTLS_E_WARNING_ALERT_RECEIVED: ++ if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) { ++ /* The server always toleretes a "no_renegotiation" alert. */ ++ if (session->security_parameters.entity == GNUTLS_SERVER) { ++ STATE = STATE0; ++ return ret; ++ } ++ ++ /* The client should tolerete a "no_renegotiation" alert only if: ++ * - the initial handshake has completed, or ++ * - a Server Hello is not yet received ++ */ ++ if (session->internals.initial_negotiation_completed || ++ !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) { ++ STATE = STATE0; ++ return ret; ++ } + +- /* this doesn't matter */ +- return GNUTLS_E_INTERNAL_ERROR; ++ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); ++ } ++ return ret; ++ case GNUTLS_E_GOT_APPLICATION_DATA: ++ STATE = STATE0; ++ return ret; ++ default: ++ return ret; ++ } + } + + +@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session) + } + + if (ret < 0) { +- /* In the case of a rehandshake abort +- * we should reset the handshake's internal state. +- */ +- if (_gnutls_abort_handshake(session, ret) == 0) +- STATE = STATE0; +- +- return ret; ++ return _gnutls_abort_handshake(session, ret); + } + + /* clear handshake buffer */ +-- +2.17.0 + diff --git a/meta/recipes-support/gnutls/gnutls_3.6.13.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb index ab537981ac..2ed012f9d6 100644 --- a/meta/recipes-support/gnutls/gnutls_3.6.13.bb +++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb @@ -22,6 +22,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar file://CVE-2020-13777-a.patch \ file://CVE-2020-13777-b.patch \ file://CVE-2020-13777-c.patch \ + file://CVE-2020-24659.patch \ " SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f" diff --git a/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch new file mode 100644 index 0000000000..183512fd7d --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre/CVE-2020-14155.patch @@ -0,0 +1,41 @@ +--- pcre-8.43/pcre_compile.c 2020-07-05 22:26:25.310501521 +0530 ++++ pcre-8.43/pcre_compile1.c 2020-07-05 22:30:22.254489562 +0530 + +CVE: CVE-2020-14155 +Upstream-Status: Backport [https://vcs.pcre.org/pcre/code/trunk/pcre_compile.c?view=patch&r1=1761&r2=1760&pathrev=1761] +Signed-off-by: Rahul Taya<Rahul.Taya@kpit.com> + +@@ -6,7 +6,7 @@ + and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel +- Copyright (c) 1997-2018 University of Cambridge ++ Copyright (c) 1997-2020 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -7130,17 +7130,19 @@ + int n = 0; + ptr++; + while(IS_DIGIT(*ptr)) ++ { + n = n * 10 + *ptr++ - CHAR_0; ++ if (n > 255) ++ { ++ *errorcodeptr = ERR38; ++ goto FAILED; ++ } ++ } + if (*ptr != CHAR_RIGHT_PARENTHESIS) + { + *errorcodeptr = ERR39; + goto FAILED; + } +- if (n > 255) +- { +- *errorcodeptr = ERR38; +- goto FAILED; +- } + *code++ = n; + PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ + PUT(code, LINK_SIZE, 0); /* Default length */ diff --git a/meta/recipes-support/libpcre/libpcre_8.43.bb b/meta/recipes-support/libpcre/libpcre_8.43.bb index b97af08b25..60ece64504 100644 --- a/meta/recipes-support/libpcre/libpcre_8.43.bb +++ b/meta/recipes-support/libpcre/libpcre_8.43.bb @@ -12,6 +12,7 @@ SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ file://out-of-tree.patch \ file://run-ptest \ file://Makefile \ + file://CVE-2020-14155.patch \ " SRC_URI[md5sum] = "636222e79e392c3d95dcc545f24f98c4" diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2020-13632.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2020-13632.patch new file mode 100644 index 0000000000..7af5e91c4c --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/CVE-2020-13632.patch @@ -0,0 +1,32 @@ +From 219b8e7e7587df8669d96ce867cdd61ca1c05730 Mon Sep 17 00:00:00 2001 +From: drh <drh@noemail.net> +Date: Thu, 14 May 2020 23:59:24 +0000 +Subject: [PATCH] Fix a null pointer deference that can occur on a strange + matchinfo() query. + +FossilOrigin-Name: a4dd148928ea65bd4e1654dfacc3d8057d1f85b8c9939416991d50722e5a720e + +Upstream-Status: Backport +CVE: CVE-2020-13632 +[https://github.com/sqlite/sqlite/commit/219b8e7e7587df8669d96ce867cdd61ca1c05730] +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + sqlite3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sqlite3.c b/sqlite3.c +index fd28360..ee455e5 100644 +--- a/sqlite3.c ++++ b/sqlite3.c +@@ -177622,7 +177622,7 @@ static int fts3ExprLHits( + iStart = pExpr->iPhrase * ((p->nCol + 31) / 32); + } + +- while( 1 ){ ++ if( pIter ) while( 1 ){ + int nHit = fts3ColumnlistCount(&pIter); + if( (pPhrase->iColumn>=pTab->nColumn || pPhrase->iColumn==iCol) ){ + if( p->flag==FTS3_MATCHINFO_LHITS ){ +-- +2.17.1 + diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb index 95e1174b07..425612bf12 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb @@ -13,6 +13,7 @@ SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2019-19959.patch \ file://CVE-2019-20218.patch \ file://CVE-2020-11655.patch \ + file://CVE-2020-13632.patch \ " SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc" SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b" |